[Snort-users] Snort performance
agetchel at ...1525...
agetchel at ...1525...
Sun Apr 1 01:29:09 EST 2001
Unfortunately, sizing a Snort box is a very hard thing to do. It
really depends on the characteristics of the traffic you are trying to
monitor. There's an infinite number of conditions that can cause the box to
be put under an unusually heavy load, so it's almost impossible to say X
kind of machine can handle X amount of traffic. For instance, more
fragmentation will cause higher utilization, as will a large number of very
large packets or a large number of very small packets. From personal
experience, a 933MHz PIII single CPU 900MB RAM test box we setup monitoring
a production network with a good mix of everything, handled a saturated T3
with little packet loss. Processor utilization sat at about 90% and snort
ate almost 240MB of RAM.
Another problem you will run into is that Snort is single threaded.
This means that the app won't take advantage of multiple processors. So
you can either put one very fast processor in the box, or run Snort on an OS
which supports processor affinity (assigning a process to run on a specific
processor). I believe Solaris (both SPARC and x86 versions) and Windows
2000 will do this, but Linux and BSD will not. My suggestion would be to
break up the monitoring of the two different segments you mention onto two
Also, just as a side note, one of the most important considerations
for a fast and stable Snort box is choosing a high quality Ethernet card.
The Intel EtherExpress Pro you mention in your e-mail is a good choice.
Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
E-mail agetchel at ...1525...
> -----Original Message-----
> From: Simon Attwell [mailto:attwell at ...460...]
> Sent: Saturday, March 31, 2001 12:43 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort performance
> Has anyone done any performance trending for snort ?
> i.e. has any kept a track of the amount of traffic that a
> single snort
> instance can handle
> with respect to a) the cpu b) memory and c) OS.
> I have an implementation that requires me to watch constantly
> high traffic
> levels and i'm trying to guess
> at the sort of horsepower i need to throw at the problem.
> Traffic is constantly between 20 and 60 Mbps, and at present
> I'm watching a
> 129 C's as $HOME_NET
> with a complete ruleset (trimmed of things i dont care about).
> I'm thinking Dual 933Mhz PIII with 512 Mb of RAM and a couple
> of Intel
> EtherExpress PRO 100 NIC's.
> The box will be running two instances of snort (on 2
> different interfaces)
> which is why i spec dual cpu's
> - Simon
> Simon Attwell
> Systems Engineer
> 5520 Research Park Drive
> Madison, WI 53711
> attwell at ...460...
> Berbee... putting the E in business
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users