[Snort-users] Re: Statefull inspection on IDS - Stick

Graeme Fowler Graeme.F at ...875...
Thu Mar 8 11:45:56 EST 2001

Good god, I really had to bite my tongue not to get angry about this...

1. To do real testing of this sort you need statistical clarity and
equality; ie. all systems should be as close in specification as
possible - if not identical. 
2. All testing should be carried out in the same environment, with the
same suite of tests carried out in exactly the same manner.
3. Ideally the tests should be repeated under a range of conditions or
specifications to compare (say) disk IO rates at different spindle
speeds, or different amounts of RAM. But *all* tests should be carried
out with all configurations, if possible.

I'm running snort here on a dual-processor P-Pro box with 256MB RAM
which also runs a webserver and IP accounting package on four separate
NICs. The load average is usually between 0.5-2, but I never see a
dropped packet (apart from packet frags caused by switch port mirroring)
and snort itself is processing upto 34Mbps - I have no idea how many
packets/sec that is :) - although I have a reasonably cut-down ruleset.

Just this morning I had a clients' machine under a DDoS attack (to UDP
port 220, whatever significance that has) and snort didn't even flinch -
even at a rate approaching 12Mbps inbound, with spade picking it up over
and above all the other traffic.

I'd like to see under what conditions the 100% CPU occurred, myself.

Best Wishes,

Graeme Fowler
Systems Administrator
graeme.f at ...875...
WebFusion Internet Solutions Ltd.
The UK's Largest Web Hosting Company

More information about the Snort-users mailing list