[Snort-sigs] [Snort-users] throughput of snort usually(and with specific rules)

d a xstoneheartx at ...144...
Tue Apr 13 14:26:26 EDT 2010


Hi,
Thanks for your attention.
Sorry for that mismatch. I used Ethernet 10/100 because I thought that the traffic rate for snort  should be under 100Mb to works perfectly, But actually I want to use Ethernet 10/100/1000 for my need of 200Mb traffic  rate if snort can support it. I want to use my box to protect network of a place like university.
I want to use snort for both IDS and IPS modes.
 
What can I do to detect phishing attacks in my IDS/IPS box. Can use of ClamAv with snort be helpful?

 
Any help will be appreciated.

--- On Tue, 4/13/10, rmkml <rmkml at ...324...> wrote:

> From: rmkml <rmkml at ...324...>
> Subject: Re: [Snort-users] throughput of snort usually(and with specific rules)
> To: "d a" <xstoneheartx at ...144...>
> Cc: rmkml at ...324...
> Date: Tuesday, April 13, 2010, 12:38 PM
> Hi,
> excuse me, you have writted: "3 Ethernet Port 10/100"
> but you have writted: "...with a traffic rate of 200 Mb/s
> or more"
> You have 200Mb/s with 100 network interface?
> another point: you need a ids ? (detection only) or a ips ?
> (inline blocking) because it's more different...
> Regards
> Rmkml
> 
> 
> On Tue, 13 Apr 2010, d a wrote:
> 
> > Hi, everybody
> > In a security project I want to make an IDS/IPS System
> based on snort but I have to satisfy employer and investors
> for my choice about Snort.
> > One of the problem that I have is about the input
> traffic rate/throughput that snort can support and analyze
> with a good performance(Low CPU usage and packet drop).I
> know that it depends on a number of factors like the
> configuration of the system and which rules we are running
> as well as the underlying hardware and the OS configuration,
> But I want to know the normal range of its throughput.
> > Some where I read somebody wants to use it for 1-2
> gb/s rate of traffic. Dose snort really works for xgb/s rate
> of input traffic without so much drop and high CPU usage?
> > In a book about snort that published in 2003(Intrusion
> detection with Snort By Jack Kozio ) that I think it's
> talking about snort-2.2  was wrote that snort works for
> 100Mb correctly and starts to loss packets in 200-300 Mb and
> can not run at traffic level higher than 500Mb. Does any
> body know about these numbers for snort-2.8.5?
> > The specification of my system that snort sensor is
> running on:
> >  CPU : Intel core 2 duo 2.8GHz
> >  RAM: 2-4 gig DDR2 KINGMAX
> >  Hard:300 gig maxtor SATA
> >  3 Ethernet Port 10/100
> > The network that I want to use system for includes
> more than 150 systems with a traffic rate of 200 Mb/s or
> more.
> > and the snort configuration that I need includes:
> > enabling  preprocessors , and enabling rules to
> detect web & CGI attacks, Phishing attacks , malwares
> and spywares and some others.
> > I want to use snort with out any accelerators. If I
> had to use one, is there any open-Source accelerator for
> snort?
> > Another question that I have is about OS.I'm using
> Suse10.3, is it suitable for our security goals  or
> other OS like cent-OS,open-BSD, .. are more secure?
> > Thanks a lot for your helps.
> 


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100413/e68cac49/attachment.html>


More information about the Snort-sigs mailing list