[Snort-devel] 答复: Could anyone share the performance data of Snort3.0 IDS

Russ rucombs at ...3461...
Wed Jan 11 05:20:28 EST 2017


Snort 3.0 does process packets differently than Snort 2.X and you will 
better performance for equivalent configurations.  To get more 
performance, use hyperscan.  And to get best performance, use service 
rules like alert http (not yet available from Talos).

As far as we know, the new http_inspect works very well and is a huge 
improvement over the old one.  Of course, it is a major new piece of 
code and we are actively working to improve it.  If you are aware of any 
issues, please send the details to bugs at ...2256...

Thanks
Russ

On 1/10/17 8:00 PM, Nacht Z wrote:
>
> Hi:
>
>      I have test snort 2.9 (single thread 
> <https://www.baidu.com/link?url=Ea0YoWq6PsFZrq9UfDyj4Iq6WOGiUCq0I-SCMDmRf8Yt3jjnf8xfCHrtCCoVaLCcWd5CJtvHu9uCqC9xWGa0X2PPdLMANw_G7PWZBhfcgkYfTB9YU8tHop0mr__InFN0&wd=&eqid=b92040c8000355af0000000458757e96>, 
> with CPU Intel(R) Xeon(R) CPU E5-2640 v2 @ 2.00GHz) with 1900 rules. 
> It can only handle flow less than 300Mbps. So if the snort does not 
> change it's way to analyse packets in snort 3, it may be hard to reach 
> 10Gbps in multi-thread snort 3.0.
>
>      What's more, one of my mate told me that he found http_inspector 
> couldn't work in snort 3.0.0-a4. So I'm afraid that if you want to use 
> the alpha snort 3, you may need to test it's functions.
>
>                                        NachtZ
>
>                                        01/11/2017
>
>
>
> ------------------------------------------------------------------------
> *发件人:* Sunyi LIu <sunnysunny128 at ...1389...>
> *发送时间:* 2017年1月10日 16:56
> *收件人:* snort-devel at lists.sourceforge.net
> *主题:* [Snort-devel] Could anyone share the performance data of 
> Snort3.0 IDS
> hi,
>   We are working on a 10Gbps IDS plan, could anyone share the 
> performance data of Snort3.0 in IDS mode . Let's say we have such as 
> 1000 rules .
> And we could fingure out if we can make good use of Snort3.0.
> Thanks.
>
> BR
> sunny
>
>
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170111/8f45272f/attachment.html>


More information about the Snort-devel mailing list