Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort speed

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 29 Dec 2003 14:10:57 -0500
At 07:01 AM 12/26/2003, snort wrote:

how much could snort handel (MBps) on a regular network??


That's nearly impossible to answer with so little information.
Some combinations of hardware and config can barely handle the 1.5mbit/sec of a t1 line, others can handle hundreds of mbit/sec. Some even reach gigabit speeds, but don't expect to keep up with gigabit without some extensive tuning. (or buying a pre-tuned box)
There's a lot of variables that affect snort performance, and they can make HUGE differences in performance.
All of the following questions are VERY significant to the datarate snort will be able to handle. Each of these questions can easily make a 30% difference in how much traffic you can handle before experiencing packet loss. 

What OS do you run?
What type of libpcap, standard or Phil Wood's version?
What does your ruleset look like? hand trimmed, or stock? Or stock with extra rules added? 
What is EXTERNAL_NET declared as?
Does HOME_NET consist of multiple comma delimited ranges? If so, how many ranges? What KIND of traffic dominates the traffic going past snort? Details here matter more than you probably suspect. 
What version of snort?
Are you using PCRE (2.1 = yes, 2.0 depends if you patch it in or not)?
Are you using flexresp?
What preprocessors are you using?
What kind of output logging?
What's the short-term maximum datarate (not the average rate limited by your internet connection)? 
What kind of CPU?
How much ram?
What kind of disk system?
What kind of NIC card?
What approximate percentage of cpu and disk IO are consumed by non-snort processes? 




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: