[Snort-users] Benchmarking snort

Michael L. Artz dragon at ...8731...
Thu Apr 17 19:18:07 EDT 2003

Has any work been done benchmarking snort against the number of rules in 
your config and the preprocessors that you turn on?  More specifically, 
if I take a single snort process with 1000 rules and break that into 2 
snort processes running 500 rules (running on the same box) can I expect 
about the same loading of the box, minus a bit of memory overhead?  In 
the same vein, if I can currently handle 100Mbps with a snort process 
with 1000 rules, what speeds will I be able to reliably handle if I 
decrease the ruleset to 500?

Basically, I am trying to get at how to load-balance several snort 
sensors across a network.  Would the best way be to decrease the traffic 
load by policy routing different sessions to different snort boxes, or 
putting another snort box on the same network and dividing the current 
ruleset between the two snort boxes?

Finally, what is the fastest that anyone has reliably run snort, and how 
many rules/preprocessors were turned on when you did this?

Any info/pointers/flames are appreciated.


