[Snort-devel] How about snort performance?

Martin Roesch roesch at ...402...
Mon Mar 18 07:37:06 EST 2002

The performance depends on:

CPU (how fast, integer performance, memory bus bandwidth, I/O bus
RAM (how much, how fast)
System bus (PCI, PCI-X, 64-bit/66MHz or 32-bit/33MHz, S-Bus, etc)
Traffic (average packet size, average packet type, packets per second)
Rules (how many, what kind, how often they go off)
Preprocessors (how often do specific preprocessors get hit, how often do
they alert, how much state do they keep, how many bytes per packet do they
Output (how many output modules are active, how fast are they, how often do
they get called,)

That¹s the problem you¹re trying to solve.  In general,  Snort is ³fast²
which means that it has a high probability of detecting a given event on a
network given enough hardware and proper configuration.

Sorry we can¹t be more specific, but in general faster hardware running
fewer rules/preprocessors/output plugins is faster than  otherwise.


On 3/18/02 2:36 AM, "meggie yang" <meggie_yang_jun at ...398...> wrote:

> Hi, 
> Could you tell me The Open Source Network Intrusion Detection System
> performance?How many packets/second the system can handle?I need some
> performance data.
> Thanks,
> Meggie
> Do You Yahoo!?
> Yahoo! Sports <$rd_url/tag/http://sports.yahoo.com/>  - live college hoops
> coverage

Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020318/dc4c1b20/attachment.html>

More information about the Snort-devel mailing list