[Snort-devel] [Snort-users] throughput of snort usually(and with specific rules)

Joel Esler joel.esler at ...3080...
Tue Apr 13 09:32:48 EDT 2010


At Sourcefire, with our hardware, we have boxes that achieve a  
throughput of 20 gig a second.

For a non-appliance, It depends more on things, hardware, rules, ram,  
nic driver, etc.  For our appliances, we design our boxes for speed.

However, Snort doesn't have a speed hard stop.

Joel Esler
Sent from my iPhone

On Apr 13, 2010, at 3:33 AM, d a <xstoneheartx at ...398...> wrote:

> Hi, everybody
> In a security project I want to make an IDS/IPS System based on  
> snort but I have to satisfy employer and investors for my choice  
> about Snort.
> One of the problem that I have is about the input traffic rate/ 
> throughput that snort can support and analyze with a good performance 
> (Low CPU usage and packet drop).I know that it depends on a number  
> of factors like the configuration of the system and which rules we  
> are running as well as the underlying hardware and the OS  
> configuration, But I want to know the normal range of its throughput.
> Some where I read somebody wants to use it for 1-2 gb/s rate of  
> traffic. Dose snort really works for xgb/s rate of input traffic  
> without so much drop and high CPU usage?
> In a book about snort that published in 2003(Intrusion detection  
> with Snort By Jack Kozio ) that I think it's talking about  
> snort-2.2  was wrote that snort works for 100Mb correctly and starts  
> to loss packets in 200-300 Mb and can not run at traffic level  
> higher than 500Mb. Does any body know about these numbers for  
> snort-2.8.5?
> The specification of my system that snort sensor is running on:
> CPU : Intel core 2 duo 2.8GHz
> RAM: 2-4 gig DDR2 KINGMAX
> Hard:300 gig maxtor SATA
> 3 Ethernet Port 10/100
> The network that I want to use system for includes more than 150  
> systems with a traffic rate of 200 Mb/s or more.
> and the snort configuration that I need includes:
> enabling  preprocessors , and enabling rules to detect web & CGI  
> attacks, Phishing attacks , malwares and spywares and some others.
> I want to use snort with out any accelerators. If I had to use one,  
> is there any open-Source accelerator for snort?
> Another question that I have is about OS.I'm using Suse10.3, is it  
> suitable for our security goals  or other OS like cent-OS,open- 
> BSD, .. are more secure?
> Thanks a lot for your helps.
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-devel mailing list