[Snort-devel] snort sp for 10GE link

Martin Holste mcholste at ...2499...
Thu Aug 25 09:34:35 EDT 2011


None of the GPU-based stuff is ready for primetime.  There was a
project a few years ago called Gnort which used GPU's, but that ended
and code was never released.  As you've pointed out, Suricata's GPU
implementation is not efficient and therefore not an option.

You can do software load balancing of Snort with PF_RING.  I have a
short write-up on how to do this here:
http://ossectools.blogspot.com/2011/07/running-load-balanced-snort-in-pfring.html
.  My general rule of thumb is you need 1 CPU per 1000 rules per 100
Mbit of traffic, so at 1000 Mbit, you can only run 10 rules per CPU.
However, at that speed, the preprocessor performance becomes a major
factor.  At 10 Gbit, you are down to 1 rule per CPU, assuming that
your preprocessors (like HTTP, DCE, etc.) can keep up (which they
cannot).  So, you may be able to inspect 10 Gbit of DCE/SMB traffic,
but I doubt you can inspect 10 Gbit of HTTP or SMTP traffic at
wirespeed.

If you really have a saturated 10 Gbit connection, you are probably
better off with a hardware load-balancer and setting up a cluster of
machines.  A much better approach would be to limit the scope of the
traffic you want to inspect to get it down to more like 1-2 Gbps,
which is still quite a challenge to inspect without drops, even with a
very limited rule set.

On Thu, Aug 25, 2011 at 7:45 AM, ahmad reza noroozi
<ahmadrezanoroozi at ...2499...> wrote:
> I am to make an IDS for 10GE links
> I was used snort for recent years
> I want to know everybody has performance testing for snort sp for high
> bandwidth?
> can it to handle above 5000,000 concurrent session at hig speed
> rate(for example in stream5 processors)
> as you may know suricata is able to use from GPU but multithreading in
> it is not efficient.
> I want to use from GPU (graphic processing unit) tesla cards to
> accelerate snort for 10GE link. is there any performance testing for a
> multiple core system speed up for snort sp?
> is it better to accelerate with GPU or with multi core system?
>
> I am very interesting to Martin Roesch and happy to he also answer me
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list