[Snort-users] snort speed
mkettler at ...4108...
Mon Dec 29 11:09:01 EST 2003
At 07:01 AM 12/26/2003, snort wrote:
>how much could snort handel (MBps) on a regular network??
That's nearly impossible to answer with so little information.
Some combinations of hardware and config can barely handle the 1.5mbit/sec
of a t1 line, others can handle hundreds of mbit/sec. Some even reach
gigabit speeds, but don't expect to keep up with gigabit without some
extensive tuning. (or buying a pre-tuned box)
There's a lot of variables that affect snort performance, and they can make
HUGE differences in performance.
All of the following questions are VERY significant to the datarate snort
will be able to handle. Each of these questions can easily make a 30%
difference in how much traffic you can handle before experiencing packet loss.
What OS do you run?
What type of libpcap, standard or Phil Wood's version?
What does your ruleset look like? hand trimmed, or stock? Or stock with
extra rules added?
What is EXTERNAL_NET declared as?
Does HOME_NET consist of multiple comma delimited ranges? If so, how many
What KIND of traffic dominates the traffic going past snort? Details here
matter more than you probably suspect.
What version of snort?
Are you using PCRE (2.1 = yes, 2.0 depends if you patch it in or not)?
Are you using flexresp?
What preprocessors are you using?
What kind of output logging?
What's the short-term maximum datarate (not the average rate limited by
your internet connection)?
What kind of CPU?
How much ram?
What kind of disk system?
What kind of NIC card?
What approximate percentage of cpu and disk IO are consumed by non-snort
More information about the Snort-users