[Snort-users] Benchmarking snort
Michael L. Artz
dragon at ...8731...
Thu Apr 17 19:18:07 EDT 2003
Has any work been done benchmarking snort against the number of rules in
your config and the preprocessors that you turn on? More specifically,
if I take a single snort process with 1000 rules and break that into 2
snort processes running 500 rules (running on the same box) can I expect
about the same loading of the box, minus a bit of memory overhead? In
the same vein, if I can currently handle 100Mbps with a snort process
with 1000 rules, what speeds will I be able to reliably handle if I
decrease the ruleset to 500?
Basically, I am trying to get at how to load-balance several snort
sensors across a network. Would the best way be to decrease the traffic
load by policy routing different sessions to different snort boxes, or
putting another snort box on the same network and dividing the current
ruleset between the two snort boxes?
Finally, what is the fastest that anyone has reliably run snort, and how
many rules/preprocessors were turned on when you did this?
Any info/pointers/flames are appreciated.
More information about the Snort-users