[Snort-users] Re: Statefull inspection on IDS - Stick

Avleen Vig avleen at ...396...
Thu Mar 8 10:20:37 EST 2001

> A Linux based snort will hit 100% CPU and start dropping packets.  The
> stress on recording and disk IO is another problem.

Errrrrrmm.. what specs are we talking about?
This is very vague... It's like saying "The earth is big"... but how big? compared to
the galaxy it's tiny, and compared to a worm it's enormous.

I've seen snort generate hundreds / thousands of alerts a secodns during floods, and not
drop a packet.
Disk IO hasn't been a problem either.

This has been on a loaded P166 running FreeBSD (ok, not Linux), 128Mb RAM and a hard
drive in PIO Mode 4.
The box was also running a mailer daemon, Apache, and many other things.

And snort still only made 20% - 30% CPU use.

More information about the Snort-users mailing list