[Snort-devel] SourceFire Appliance 3D9900 capabilities

Jeff Murphy jeff.murphy at ...2499...
Thu Apr 14 09:10:16 EDT 2011


+1

Rule complexity and enabled features will play a large role in performance.


As an aside, a message came across snort-users two days ago and discussed sizing. 


http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTin1K4y77eYVZ1mbQ%3DjTDzfi19x%3DcA%40mail.gmail.com&forum_name=snort-users

Anecdotally, I'm sending 2Gbps through 5 snort processes using Endace cards. I have 450 rules (with some sort of content matching, pcres) as well as a few in house rules that match about 400 addresses only (no content matching). I'm running the stock snort.conf from 2.9.0.5 with the exception that I've increased the memcap for stream5. I see ~0.5% dropped. So in theory I should be able to handle 10 Gbps with 25 snort processes. The machine can handle around 32 and uses internal load balancing to spread the traffic out.

jeff

 
On Apr 14, 2011, at 8:27 AM, Jason Wallace wrote:

> There is no integer answer to that question for any IPS. If any IPS
> vender ever tells you differently, you should just get up and walk out
> of the room.
> 
> It depends on what kind of traffic the sensor would see (not just the
> volume), what is the quality of that traffic from a
> fragmentation/session perspective, what do you want to look
> for/protect from, number of resources given to a detection engine,
> what preprocessors will you need to run, number of ports that need to
> be tracked by stream5, and what the overhead of the rules your running
> are... just to name a few.
> 
> In SF devices, each rule has a "Rule Overhead" rating (low, medium,
> high, very high). While this probably isn't a scientific numerical
> rating (correct me if I'm wrong here), it isn't some random attribute
> either. You would probably be able to run far fewer "Very High" rules
> than "Low" rules (hmmm that gives me an idea for a feature request).
> 
> Thx,
> Wally
> 
> On Thu, Apr 14, 2011 at 7:40 AM, d a <xstoneheartx at ...398...> wrote:
>> Dose anybody know, how many enabled rules are supported with SourceFire
>> Appliance 3D9900 on 10 gbps traffic rate?
>> 
>> ________________________________
>> From: Martin Holste <mcholste at ...2499...>
>> To: d a <xstoneheartx at ...398...>
>> Cc: Nigel Houghton <nhoughton at ...402...>;
>> snort-devel at lists.sourceforge.net
>> Sent: Sat, April 9, 2011 8:30:13 AM
>> Subject: Re: [Snort-devel] using snort for 10Gbps traffic rate
>> 
>> My rule of thumb thus far has been that on commodity hardware with
>> PF_RING, you can run 1000 signatures per 500 Mb/sec of traffic per
>> Snort instance before you start dropping packets.  You want to run
>> 20x500, so I would think that a single Snort instance could run 50
>> signatures at 10 gig.  However, you're definitely going to need
>> PF_RING or TNAPI and a recent network card, or better yet a 10 gig
>> Endace DAG card to process packet headers at 10 gig.  Also,
>> preprocessors will take a heavy toll; I cannot vouch for a Snort
>> process running even zero rules with all preprocessors turned on to
>> perform at 10 gig with no drops.  If anyone on the list has
>> successfully run a single Snort instance against a full 10 gig
>> line-speed of real-world traffic, I'd like to hear it.  Many run at
>> the 1-3 Gb/sec range, but few run at full 10 gig line-speed.
>> 
>> Something to consider: the PF_RING DAQ module allows multiple Snort
>> processes to load balance the traffic so that you can have a cluster
>> of Snort instances on a single machine.  DAG cards allow a similar
>> load-balancing to occur.
>> 
>> On Fri, Apr 8, 2011 at 10:39 PM, d a <xstoneheartx at ...398...> wrote:
>>> Hi,
>>> 
>>> Can the snort2-9 package be used for protecting 10Gbps traffic rate
>>> without
>>> need to use parallel snort sensors and breaking (splitting) traffic
>>> between
>>> them? Can a single snort engine handle this rate? If yes, so still with
>>> the
>>> assumption of no limitation in hardware and simplest configuration, how
>>> many
>>> rules approximately can be enabled to handle this rate with acceptable
>>> packet drops rate, acceptable CPU usage,…?
>>> 
>>> The reason that I insist on this topic is because what I found in
>>> documents
>>> and papers about snort performance and its supported rate, all were about
>>> less that 1Gbps and there were some solutions to develop a hardware
>>> accelerator for it to support 10Gbps rate.
>>> 
>>> 
>>> 
>>> Thank you very much for your helps.
>>> 
>>> ________________________________
>>> From: Nigel Houghton <nhoughton at ...402...>
>>> To: d a <xstoneheartx at ...398...>
>>> Cc: matan monitz <mmonitz at ...2499...>; snort-devel at lists.sourceforge.net
>>> Sent: Tue, April 5, 2011 7:49:53 PM
>>> Subject: Re: [Snort-devel] using snort for an IDS/IPS appliance
>>> 
>>> On Tue, 5 Apr 2011 07:37:38 -0700 (PDT), d a wrote:
>>>> I know that sourcefire has a product for this purpose but that is a
>>>> commercial product while what we want to do is not a commercial
>>>> project it's an experimental and research project and as far as I
>>>> know sourcefire is using another generation of snort (3D) for their
>>>> appliance not exclusively snort2-9  software.
>>> 
>>> The Snort that is on a Sourcefire appliance is the same Snort that you
>>> can download from snort.org. There is no "special Snort".
>>> 
>>> --
>>> Nigel Houghton
>>> Head Mentalist
>>> SF VRT Department of Intelligence Excellence
>>> http://vrt-blog.snort.org/ && http://labs.snort.org/
>>> 
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Xperia(TM) PLAY
>>> It's a major breakthrough. An authentic gaming
>>> smartphone on the nation's most reliable network.
>>> And it wants your games.
>>> http://p.sf.net/sfu/verizon-sfdev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> 
>>> 
>> 
>> ------------------------------------------------------------------------------
>> Benefiting from Server Virtualization: Beyond Initial Workload
>> Consolidation -- Increasing the use of server virtualization is a top
>> priority.Virtualization can reduce costs, simplify management, and improve
>> application availability and disaster protection. Learn more about boosting
>> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> 
> 
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload 
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve 
> application availability and disaster protection. Learn more about boosting 
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list