[Snort-devel] SourceFire Appliance 3D9900 capabilities
mcholste at ...2499...
Thu Apr 14 11:53:43 EDT 2011
> Anecdotally, I'm sending 2Gbps through 5 snort processes using Endace cards. I have 450 rules (with some sort of content matching, pcres) as well as a few in house rules that match about 400 addresses only (no content matching). I'm running the stock snort.conf from 220.127.116.11 with the exception that I've increased the memcap for stream5. I see ~0.5% dropped. So in theory I should be able to handle 10 Gbps with 25 snort processes. The machine can handle around 32 and uses internal load balancing to spread the traffic out.
Cool--thanks for the anecdote. Of course there are a ton of factors
that go into how a sensor performs and you can't get overly
scientific, but on traffic that is primarily web requests to your
basic Internet sites (google, facebook, etc.), traffic looks and
behaves very similarly, so I think comparisons are valuable.
Server-bound traffic into your web servers is an entirely different
animal, and there all bets are off.
I have an older Endace card that only allows two streams, so I've not
been able to experiment much with DAG load balancing. So you're doing
5 CPU = 2000 Mbps * 450 rules, which is pretty close to my
guestimation formula which would predict needing (4 * 500 Mbps) * (.5
* 1000) rules = 4 * .5 = 2. The higher traffic rates will obviously
increase the Stream5 overhead significantly, so I wonder what CPU
utilization you'd see if only running preprocs at 2Gbps.
More information about the Snort-devel