[Snort-devel] Query about the performance

Jeff Murphy jeff.murphy at ...2499...
Thu Jun 9 09:03:52 EDT 2011


On Jun 9, 2011, at 3:59 AM, Gaurav Suryagandh wrote:

> Basically with a fairly good quality of hardware ( 96GB RAM and couple 
> of multi-core processors)
> 
> will i be able to capture at line rate of 10Gbps with finite number of 
> rules around (64- spanning across, L2, L3 and application)?
> 
  

My experience has been that you'll need around 24 cores, a controlled approach to the types and quantities of rules you deploy, and an understanding of what type of traffic mix you expect. I'd prioritize in that order. Memory, while important, is less of a factor than say cores or bus throughput. 


jeff


> Thanks,
> Gaurav
> 
> On 06/08/2011 08:58 PM, Steven Sturges wrote:
>> I'm not entirely sure of what you are trying to do, so it is tough
>> to answer specifically.
>> 
>> The capture rate is affected by a number of factors -- speed of
>> the hardware, drivers, kernel, DAQ module being used, etc.
>> 
>> Beyond the above, the performance of Snort itself is also affected
>> by the number of rules, memory settings, etc.
>> 
>> Snort is definitely capable of looking at packets in the context of
>> other packets in the flow leveraging Stream and/or flowbits.
>> 
>> On 6/8/11 5:54 AM, Gaurav Suryagandh wrote:
>>> Hi All,
>>> 
>>> I am trying to incorporate snort in my application for packet filtering.
>>> 
>>> I have two questions regarding the same.
>>> 
>>> 1) how much is snort's packet capture rate ?
>>> 
>>> 2) Can we filter packets based on flow ?
>>> 
>>> Thanks,
>>> Gaurav
>>> 
>>> ------------------------------------------------------------------------------ 
>>> 
>>> EditLive Enterprise is the world's most technically advanced content
>>> authoring tool. Experience the power of Track Changes, Inline Image
>>> Editing and ensure content is compliant with Accessibility Checking.
>>> http://p.sf.net/sfu/ephox-dev2dev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> 
> 
> 
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list