[Snort-devel] using snort for 10Gbps traffic rate
mcholste at ...2499...
Sat Apr 9 00:00:13 EDT 2011
My rule of thumb thus far has been that on commodity hardware with
PF_RING, you can run 1000 signatures per 500 Mb/sec of traffic per
Snort instance before you start dropping packets. You want to run
20x500, so I would think that a single Snort instance could run 50
signatures at 10 gig. However, you're definitely going to need
PF_RING or TNAPI and a recent network card, or better yet a 10 gig
Endace DAG card to process packet headers at 10 gig. Also,
preprocessors will take a heavy toll; I cannot vouch for a Snort
process running even zero rules with all preprocessors turned on to
perform at 10 gig with no drops. If anyone on the list has
successfully run a single Snort instance against a full 10 gig
line-speed of real-world traffic, I'd like to hear it. Many run at
the 1-3 Gb/sec range, but few run at full 10 gig line-speed.
Something to consider: the PF_RING DAQ module allows multiple Snort
processes to load balance the traffic so that you can have a cluster
of Snort instances on a single machine. DAG cards allow a similar
load-balancing to occur.
On Fri, Apr 8, 2011 at 10:39 PM, d a <xstoneheartx at ...398...> wrote:
> Can the snort2-9 package be used for protecting 10Gbps traffic rate without
> need to use parallel snort sensors and breaking (splitting) traffic between
> them? Can a single snort engine handle this rate? If yes, so still with the
> assumption of no limitation in hardware and simplest configuration, how many
> rules approximately can be enabled to handle this rate with acceptable
> packet drops rate, acceptable CPU usage,…?
> The reason that I insist on this topic is because what I found in documents
> and papers about snort performance and its supported rate, all were about
> less that 1Gbps and there were some solutions to develop a hardware
> accelerator for it to support 10Gbps rate.
> Thank you very much for your helps.
> From: Nigel Houghton <nhoughton at ...402...>
> To: d a <xstoneheartx at ...398...>
> Cc: matan monitz <mmonitz at ...2499...>; snort-devel at lists.sourceforge.net
> Sent: Tue, April 5, 2011 7:49:53 PM
> Subject: Re: [Snort-devel] using snort for an IDS/IPS appliance
> On Tue, 5 Apr 2011 07:37:38 -0700 (PDT), d a wrote:
>> I know that sourcefire has a product for this purpose but that is a
>> commercial product while what we want to do is not a commercial
>> project it's an experimental and research project and as far as I
>> know sourcefire is using another generation of snort (3D) for their
>> appliance not exclusively snort2-9 software.
> The Snort that is on a Sourcefire appliance is the same Snort that you
> can download from snort.org. There is no "special Snort".
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel