[Snort-users] Benchmarking snort

Bennett Todd bet at ...6163...
Thu Apr 17 20:12:34 EDT 2003


Some general comments.

Tcpreplay <URL:http://tcpreplay.sf.net/> is designed specifically
for benchmarking NIDSes.

Specific detailed answers to your questions are going to be
outlandishly dependant on exact versions of snort, exact versions of
rules sets, tuning of the many critical customization variables
(HOME_NET, EXTERNAL_NET, *_SERVERS, *_PORTS), preprocessor configs,
bpf tuning, libpcap implementation tuning, OS version, and platform.

To find real hard answers I'd recommend

- tuning snort as well as you can, working with the latest version;

- working on the OS you love the best, on the best platform you can
  afford;

- benchmarking with tcpreplay; and finally

- fiddling.

Don't spend too awfully much effort on details, nail your answers
within a factor of 5 or so and stop worrying, Moore's law hasn't let
go of this neighborhood yet.

Here's a rough figure of merit to consider: untuned snort 1.9, on
cheap (PCI bus) commodity PC with >1GHz P3 or better and >=512MB
RAM, and a good NIC, can handle 50MBps without breaking a sweat, and
can be tuned to something well over 100Mbps with sufficient care and
precision. 2.0 is way faster. You can get much faster platforms
today.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030417/99b77cb8/attachment.sig>


More information about the Snort-users mailing list