[Snort-sigs] [Snort-users] throughput of snort usually(and with specific rules)
joel.esler at ...3366...
Tue Apr 13 09:32:48 EDT 2010
At Sourcefire, with our hardware, we have boxes that achieve a
throughput of 20 gig a second.
For a non-appliance, It depends more on things, hardware, rules, ram,
nic driver, etc. For our appliances, we design our boxes for speed.
However, Snort doesn't have a speed hard stop.
Sent from my iPhone
On Apr 13, 2010, at 3:33 AM, d a <xstoneheartx at ...144...> wrote:
> Hi, everybody
> In a security project I want to make an IDS/IPS System based on
> snort but I have to satisfy employer and investors for my choice
> about Snort.
> One of the problem that I have is about the input traffic rate/
> throughput that snort can support and analyze with a good performance
> (Low CPU usage and packet drop).I know that it depends on a number
> of factors like the configuration of the system and which rules we
> are running as well as the underlying hardware and the OS
> configuration, But I want to know the normal range of its throughput.
> Some where I read somebody wants to use it for 1-2 gb/s rate of
> traffic. Dose snort really works for xgb/s rate of input traffic
> without so much drop and high CPU usage?
> In a book about snort that published in 2003(Intrusion detection
> with Snort By Jack Kozio ) that I think it's talking about
> snort-2.2 was wrote that snort works for 100Mb correctly and starts
> to loss packets in 200-300 Mb and can not run at traffic level
> higher than 500Mb. Does any body know about these numbers for
> The specification of my system that snort sensor is running on:
> CPU : Intel core 2 duo 2.8GHz
> RAM: 2-4 gig DDR2 KINGMAX
> Hard:300 gig maxtor SATA
> 3 Ethernet Port 10/100
> The network that I want to use system for includes more than 150
> systems with a traffic rate of 200 Mb/s or more.
> and the snort configuration that I need includes:
> enabling preprocessors , and enabling rules to detect web & CGI
> attacks, Phishing attacks , malwares and spywares and some others.
> I want to use snort with out any accelerators. If I had to use one,
> is there any open-Source accelerator for snort?
> Another question that I have is about OS.I'm using Suse10.3, is it
> suitable for our security goals or other OS like cent-OS,open-
> BSD, .. are more secure?
> Thanks a lot for your helps.
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-sigs