[Snort-users] Snort performance (was Re: Help with where to place ...)

Ashley Thomas athomas at ...5484...
Mon Jun 24 16:49:02 EDT 2002

>> - >100Mbps with suitably careful tuning (careful placement,
>>          careful and appropriate customization of HOME_NET, good
>>          choice of interface card, etc.)

What are the MAIN tunings that can be done

1. -A fast -b option can be used as you had mentioned.
2. Specifying a libpcap filter to filter out packets is a tuning method
   but is it used ?

What other tuning can be done ?

thanks a lot

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bennett
Sent: Monday, June 24, 2002 11:42 AM
To: Poppi, Sandro
Cc: 'Daniel Lopez'; snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort performance (was Re: Help with where to
place ...)

2002-06-19-06:45:31 Poppi, Sandro:
> I think snort can handle GB when the snort box and snort is highly
> tuned (not tested full GB speed yet).

I've not yet done enough testing to have a real feel for this from
my own experience, but from what I've read and been told by others,
I get the impression that snort, on a modern hot box (>>1GHz CPU,
512MB or more RAM), run with -A fast -b, can handle

	- c. 50Mbps easily with the default sigs and config;
	- >100Mbps with suitably careful tuning (careful placement,
          careful and appropriate customization of HOME_NET, good
          choice of interface card, etc.)
	- up to possibly 250-300Mbps flat out max without exotic
	  custom hardware, limited by ability of the system to
	  unload packets out of the interface buffer; to hit this
	  range you have to be very very carefully tuning the
	  signature set to include only the handful of signatures
	  you're really critically interested in.

Unless there's been a breakthrough I haven't heard about, neither
Snort nor any other NIDS running under a general-purpose OS on
general-purpose hardware can be expected to run greater than c.
300Mbps no matter how tightly you tune it.

I try very hard to plan my deployments so that traffic passing the
snort sensor is cleaned up by the outer layers of the firewall plant
--- i.e. I place snort inside the proxy layer --- so that it doesn't
have to deal with fragments and deliberate IDS-DoS attacks and
failed attacks; and I try to plan things so that I don't expect more
than 50Mbps to pass by snort's nose.

While additional engineering effort can crank the levels up, I'm not
wildly happy about increasing my manpower costs to buy just a factor
of 2-4 performance boost. So far I've been able to keep the
aggregate traffic down. If I should be unable to sometime in the
near future, before snort (or PC hardware) performance improvements
crank up to where I need, I expect I'd be shopping for a device that
uses custom hardware to wind the performance way up.
<URL:http://www.intruvert.com/> claim to be doing this, there are
probably other companies competing in these realms as well.

The other approach that people recommend for hitting the Gbps range
is to use a special sort of loadbalancer, e.g.
<URL:http://www.toplayer.com/>, to schmear the traffic out over a
snort farm. Again, the engineering expense of creating and
maintaining such a beast puts me off.

This is a field that's developing so very very rapidly that it seems
like a good idea to postpone big purchases as long as possible; if
you can make do with what Snort can easily accomplish now, and worry
about higher performance later, that's probably the best approach.

Most folks confine their snort needs to its current performance
abilities by deploying it on the perimeter; very few shops actually
sustain >50Mbps outside (links that fast are pretty dear).

Intruvert (and, I expect, their competitors whoever they are) are
focused more on delivering IDS throughout your core networks, where
snort (and ISS, and NFR, and ...) can't reach the needed


More information about the Snort-users mailing list