Snort mailing list archives
Re: throughput of snort usually(and with specific rules)
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Tue, 13 Apr 2010 07:57:07 -0500
Hi. I think detecting phishing attacks with snort is going to be tough. Since the phishing sites are not hosted on your networks, you wont see the traffic unless the phishing site links back to your sites somehow (e.g. maybe to a .gif or something) in which case you can usually detect it in the HTTP Referer header to your sites. But don't use snort for that, just analyze your web logs. As for malware, I'd recommend using the Emerging Threats ruleset (www.emergingthreats.net). Hope this helps. Cheers. -L0rd Ch0de1m0rt On Tue, Apr 13, 2010 at 2:33 AM, d a <xstoneheartx () yahoo com> wrote:
Hi, everybody In a security project I want to make an IDS/IPS System based on snort but I have to satisfy employer and investors for my choice about Snort. One of the problem that I have is about the input traffic rate/throughput that snort can support and analyze with a good performance(Low CPU usage and packet drop).I know that it depends on a number of factors like the configuration of the system and which rules we are running as well as the underlying hardware and the OS configuration, But I want to know the normal range of its throughput. Some where I read somebody wants to use it for 1-2 gb/s rate of traffic. Dose snort really works for xgb/s rate of input traffic without so much drop and high CPU usage? In a book about snort that published in 2003(Intrusion detection with Snort By Jack Kozio ) that I think it's talking about snort-2.2 was wrote that snort works for 100Mb correctly and starts to loss packets in 200-300 Mb and can not run at traffic level higher than 500Mb. Does any body know about these numbers for snort-2.8.5? The specification of my system that snort sensor is running on: CPU : Intel core 2 duo 2.8GHz RAM: 2-4 gig DDR2 KINGMAX Hard:300 gig maxtor SATA 3 Ethernet Port 10/100 The network that I want to use system for includes more than 150 systems with a traffic rate of 200 Mb/s or more. and the snort configuration that I need includes: enabling preprocessors , and enabling rules to detect web & CGI attacks, Phishing attacks , malwares and spywares and some others. I want to use snort with out any accelerators. If I had to use one, is there any open-Source accelerator for snort? Another question that I have is about OS.I'm using Suse10.3, is it suitable for our security goals or other OS like cent-OS,open-BSD, .. are more secure? Thanks a lot for your helps. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- throughput of snort usually(and with specific rules) d a (Apr 13)
- Re: [Snort-devel] throughput of snort usually(and with specific rules) Jules Disso (Apr 13)
- Re: throughput of snort usually(and with specific rules) L0rd Ch0de1m0rt (Apr 13)
- Re: [Snort-users] throughput of snort usually(and with specific rules) Joel Esler (Apr 13)