[Snort-sigs] [Snort-users] throughput of snort usually(and with specific rules)
joel.esler at ...3366...
Tue Apr 13 17:21:01 EDT 2010
Snort can process that much traffic, it just depends on a lot of things. Like I said, it's not like there is a limit coded into Snort as to how much it can process.
Rmkml, please reply to all on list emails. It makes redundancy in emails much lower. Thank you.
On Apr 13, 2010, at 2:26 PM, d a <xstoneheartx at ...144...> wrote:
> Thanks for your attention.
> Sorry for that mismatch. I used Ethernet 10/100 because I thought that the traffic rate for snort should be under 100Mb to works perfectly, But actually I want to use Ethernet 10/100/1000 for my need of 200Mb traffic rate if snort can support it. I want to use my box to protect network of a place like university.
> I want to use snort for both IDS and IPS modes.
> What can I do to detect phishing attacks in my IDS/IPS box. Can use of ClamAv with snort be helpful?
> Any help will be appreciated.
> --- On Tue, 4/13/10, rmkml <rmkml at ...324...> wrote:
> > From: rmkml <rmkml at ...324...>
> > Subject: Re: [Snort-users] throughput of snort usually(and with specific rules)
> > To: "d a" <xstoneheartx at ...144...>
> > Cc: rmkml at ...324...
> > Date: Tuesday, April 13, 2010, 12:38 PM
> > Hi,
> > excuse me, you have writted: "3 Ethernet Port 10/100"
> > but you have writted: "...with a traffic rate of 200 Mb/s
> > or more"
> > You have 200Mb/s with 100 network interface?
> > another point: you need a ids ? (detection only) or a ips ?
> > (inline blocking) because it's more different...
> > Regards
> > Rmkml
> > On Tue, 13 Apr 2010, d a wrote:
> > > Hi, everybody
> > > In a security project I want to make an IDS/IPS System
> > based on snort but I have to satisfy employer and investors
> > for my choice about Snort.
> > > One of the problem that I have is about the input
> > traffic rate/throughput that snort can support and analyze
> > with a good performance(Low CPU usage and packet drop).I
> > know that it depends on a number of factors like the
> > configuration of the system and which rules we are running
> > as well as the underlying hardware and the OS configuration,
> > But I want to know the normal range of its throughput.
> > > Some where I read somebody wants to use it for 1-2
> > gb/s rate of traffic. Dose snort really works for xgb/s rate
> > of input traffic without so much drop and high CPU usage?
> > > In a book about snort that published in 2003(Intrusion
> > detection with Snort By Jack Kozio ) that I think it's
> > talking about snort-2.2 was wrote that snort works for
> > 100Mb correctly and starts to loss packets in 200-300 Mb and
> > can not run at traffic level higher than 500Mb. Does any
> > body know about these numbers for snort-2.8.5?
> > > The specification of my system that snort sensor is
> > running on:
> > > CPU : Intel core 2 duo 2.8GHz
> > > RAM: 2-4 gig DDR2 KINGMAX
> > > Hard:300 gig maxtor SATA
> > > 3 Ethernet Port 10/100
> > > The network that I want to use system for includes
> > more than 150 systems with a traffic rate of 200 Mb/s or
> > more.
> > > and the snort configuration that I need includes:
> > > enabling preprocessors , and enabling rules to
> > detect web & CGI attacks, Phishing attacks , malwares
> > and spywares and some others.
> > > I want to use snort with out any accelerators. If I
> > had to use one, is there any open-Source accelerator for
> > snort?
> > > Another question that I have is about OS.I'm using
> > Suse10.3, is it suitable for our security goals or
> > other OS like cent-OS,open-BSD, .. are more secure?
> > > Thanks a lot for your helps.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs