[Snort-users] Snort Vs Cisco

Joshua Krage jkrage at ...624...
Tue Oct 10 22:16:46 EDT 2000


On Tue, Oct 10, 2000 at 10:58:00AM -0700, Dan Hollis wrote:
> NFR have also got an anti-linux agenda.

I find that quite hard to believe.  While they do have _technical_ issues
with the current state of Linux with regards to high-speed packet
capturing, last I heard, they are still attempting to make use of Linux.
However, at the moment, the current system with an OpenBSD-derived
kernel is a clear performance-leader.


> Last time I checked they were claiming Linux couldnt snoop 100mbit of
> traffic, while BSD could.

The claim wasn't that Linux couldn't, but rather that Linux was much
slower.  Significantly slower.

You can read more about NFR's issues regarding Linux in the following
nice archive:
    <http://www.nfr.net/pipermail/nfr-users/1999-February/001362.html>

Basic issues:
  1) Linux's current implementation of the bpf/libpcap code makes /way/
     too many copies of the packet for performance to be good.
  2) Linux Socket Filter (LSF) is nice, but still not enough.
  3) Still no counting of dropped packets.

Some of this might be coming out in 2.4, but I haven't personally heard
any exciting news from that front (from a IDS perspective). :/

Linux is nice, but it isn't the be-all and end-all that some folks keep
making it out to be.  Use the right tool for the right job, not because
you have an emotional attachment to it.



More information about the Snort-users mailing list