[Snort-openappid] [Snort-users] Snort limitations

Nicholas Mavis (nmavis) nmavis at ...5...
Fri Mar 28 12:26:15 EDT 2014

Vernon definitely provided some good information and I would recommend checking out the link he provided. Most performance issues can attributed to running far to many rules, using poorly written rules, or large single stream flows.

Also, you are completely right, in larger environments multiple Snort instances are utilized in order to gain better performance.


From: <Stark>, "Vernon L." <Vernon.Stark at ...15...<mailto:Vernon.Stark at ...18......>>
Date: Thursday, March 27, 2014 at 7:58 PM
To: nmavis <nmavis at ...5...<mailto:nmavis at ...5...>>, Ayoub Abid <abid.ayoub at ...8...<mailto:abid.ayoub at ...8...>>, snort-users <snort-users at ...19...orge.net<mailto:snort-users at lists.sourceforge.net>>, "snort-openappid at ...14....sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: RE: [Snort-users] Snort limitations


You may want to look at tuning Snort to improve performance.  Steven Sturges wrote a great document on tuning Snort (http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf).  An example parameter that can be modified is server_flow_depth.  Depending upon the characteristics of traffic on your network, a change in this parameter may make a very large difference in how Snort performs.

Also, as Nick indicates below, more CPU and memory may be required to achieve adequate performance in your environment.  I suspect most environments run Snort on hosts with many processors and a large amount of memory and divide the network traffic among multiple instances of Snort.


From: Nicholas Mavis (nmavis) [mailto:nmavis at ...5...]
Sent: Thursday, March 27, 2014 6:37 PM
To: Ayoub Abid; snort-users; snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort limitations


The performance of Snort depends on the resources available on the machine running it. The more traffic you have, the more resources (CPU/memory) you will need to have available for Snort.


From: Ayoub Abid <abid.ayoub at ...8...<mailto:abid.ayoub at ...8...>>
Date: Thursday, March 27, 2014 at 4:32 AM
To: snort-users <snort-users at lists.sourceforge.net<mailto:snort-users at ...14....sourceforge.net>>, "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-users] Snort limitations


I want to discuss here about how far can we trust snort to secure our network. Have snort some limitations ?

I have tested snort for a couple a weeks. He detects attacks when we have normal traffic. But When we have a huge traffic like 2000 pak/ sec , he make a big delay to scan all the traffic and detect the Intrusion. For example,  i can have an attack now and he will report it in 10 or 15 min.

So what are the Limits of snort to detect attacks?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140328/d3f2feb7/attachment.html>

More information about the Snort-openappid mailing list