[Snort-devel] Query about the performance

Martin Holste mcholste at ...2499...
Thu Jun 9 09:35:04 EDT 2011


Only 64 rules is a very small number, so you'd have a fighting chance.
 However, at 10 gig line rate, it would be a challenge to run any
application and ensure no drops.  A lot will depend on the NIC at that
point.  I would definitely recommend buying some of the nicer Intel
NIC's that offload a lot of the TCP functions.

Has anyone on this list run inline Snort on 10 gig line rate?  A lot
of things can go wrong at that speed.

On Thu, Jun 9, 2011 at 2:59 AM, Gaurav Suryagandh
<gaurav.suryagandh at ...3182...> wrote:
> Basically with a fairly good quality of hardware ( 96GB RAM and couple
> of multi-core processors)
>
> will i be able to capture at line rate of 10Gbps with finite number of
> rules around (64- spanning across, L2, L3 and application)?
>
> Thanks,
> Gaurav
>
> On 06/08/2011 08:58 PM, Steven Sturges wrote:
>> I'm not entirely sure of what you are trying to do, so it is tough
>> to answer specifically.
>>
>> The capture rate is affected by a number of factors -- speed of
>> the hardware, drivers, kernel, DAQ module being used, etc.
>>
>> Beyond the above, the performance of Snort itself is also affected
>> by the number of rules, memory settings, etc.
>>
>> Snort is definitely capable of looking at packets in the context of
>> other packets in the flow leveraging Stream and/or flowbits.
>>
>> On 6/8/11 5:54 AM, Gaurav Suryagandh wrote:
>>> Hi All,
>>>
>>> I am trying to incorporate snort in my application for packet filtering.
>>>
>>> I have two questions regarding the same.
>>>
>>> 1) how much is snort's packet capture rate ?
>>>
>>> 2) Can we filter packets based on flow ?
>>>
>>> Thanks,
>>> Gaurav
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> EditLive Enterprise is the world's most technically advanced content
>>> authoring tool. Experience the power of Track Changes, Inline Image
>>> Editing and ensure content is compliant with Accessibility Checking.
>>> http://p.sf.net/sfu/ephox-dev2dev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list