[Snort-openappid] [Snort-users] Snort limitations

Stark, Vernon L. Vernon.Stark at ...15...
Thu Mar 27 19:58:05 EDT 2014


Ayoub,

You may want to look at tuning Snort to improve performance.  Steven Sturges wrote a great document on tuning Snort (http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf).  An example parameter that can be modified is server_flow_depth.  Depending upon the characteristics of traffic on your network, a change in this parameter may make a very large difference in how Snort performs.

Also, as Nick indicates below, more CPU and memory may be required to achieve adequate performance in your environment.  I suspect most environments run Snort on hosts with many processors and a large amount of memory and divide the network traffic among multiple instances of Snort.

Vern

From: Nicholas Mavis (nmavis) [mailto:nmavis at ...5...]
Sent: Thursday, March 27, 2014 6:37 PM
To: Ayoub Abid; snort-users; snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-users] Snort limitations

Ayoub

The performance of Snort depends on the resources available on the machine running it. The more traffic you have, the more resources (CPU/memory) you will need to have available for Snort.

Nick

From: Ayoub Abid <abid.ayoub at ...8...<mailto:abid.ayoub at ...8...>>
Date: Thursday, March 27, 2014 at 4:32 AM
To: snort-users <snort-users at lists.sourceforge.net<mailto:snort-users at ...14....sourceforge.net>>, "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-users] Snort limitations

Hello


I want to discuss here about how far can we trust snort to secure our network. Have snort some limitations ?

I have tested snort for a couple a weeks. He detects attacks when we have normal traffic. But When we have a huge traffic like 2000 pak/ sec , he make a big delay to scan all the traffic and detect the Intrusion. For example,  i can have an attack now and he will report it in 10 or 15 min.

So what are the Limits of snort to detect attacks?

Thank you
Ayoub
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140327/cb2e83d6/attachment.html>


More information about the Snort-openappid mailing list