[Snort-devel] Snort Inline performance question

Will Metcalf william.metcalf at ...2499...
Wed May 11 21:51:33 EDT 2005


I still think this an apple to oranges comparison, but to answer your 
question using unified logging produces far less overhead than running 
snort_inline/snort in inline mode. The thing that is going to kill you with 
snort_inline is context switching i.e. a packet enters the kernel is sent to 
userspace analyzed by snort and then a verdict is sent back to the kernel to 
either drop or reinject the packet back into the network. All of this has to 
be done before the next packet is analyzed. Currently context switching is 
happening on every packet as well because the QUEUE doesn't support sending 
multiple packet messages to userspace in a single context switch. I'm not 
quite sure how you are planning to use unifed logging achieve your IPS 
functionality, you might want to take a look at snortsam. Frank Knobbe has 
done an excellent job with this program it is definitely worth checking out.

Regards,

Will

On 5/11/05, Terry Vernon <tvernon24 at ...2251...> wrote:
> 
> What I'm asking is, would it be faster to use unified logging and pipe
> it to a third party application to create an IPS or use snort_inline. I
> want to know how much slower snort runs when in inline mode than in
> unified logging mode, doesn't matter that they serve different
> functions, I just need to know what's the overhead and which drops less
> packets on extremely large and fast networks.
> 
> Thanks
> Terry Vernon
> 
> William Metcalf wrote:
> 
> > Errrr they serve different functions, so not sure what your asking here.
> >
> > Regards,
> >
> > Will
> > Inactive hide details for Terry Vernon <tvernon24 at ...2251...>Terry
> > Vernon <tvernon24 at ...2251...>
> >
> >
> > *Terry Vernon <tvernon24 at ...2251...>*
> > Sent by: snort-devel-admin at lists.sourceforge.net
> >
> > 05/11/2005 12:45 PM
> >
> >
> >
> > To
> >
> > snort-devel at lists.sourceforge.net
> >
> > cc
> >
> >
> > Subject
> >
> > [Snort-devel] Snort Inline performance question
> >
> >
> >
> >
> > What would be the performance difference between running snort in
> > unified logging mode and running it it inline mode?
> >
> > Thanks
> > Terry Vernon
> >
> >
> > -------------------------------------------------------
> > This SF.Net <http://SF.Net> email is sponsored by Oracle Space 
> Sweepstakes
> > Want to be the first software developer in space?
> > Enter now for the Oracle Space Sweepstakes!
> > http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
> > <http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click>
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> 
> -------------------------------------------------------
> This SF.Net <http://SF.Net> email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20050511/99eb5d16/attachment.html>


More information about the Snort-devel mailing list