[Snort-users] snort speed

Matt Kettler mkettler at ...4108...
Mon Dec 29 11:09:01 EST 2003


At 07:01 AM 12/26/2003, snort wrote:
>how much could snort handel (MBps) on a regular network??

That's nearly impossible to answer with so little information.

Some combinations of hardware and config can barely handle the 1.5mbit/sec 
of a t1 line, others can handle hundreds of mbit/sec. Some even reach 
gigabit speeds, but don't expect to keep up with gigabit without some 
extensive tuning. (or buying a pre-tuned box)

There's a lot of variables that affect snort performance, and they can make 
HUGE differences in performance.

All of the following questions are VERY significant to the datarate snort 
will be able to handle. Each of these questions can easily make a 30% 
difference in how much traffic you can handle before experiencing packet loss.

What OS do you run?
What type of libpcap, standard or Phil Wood's version?
What does your ruleset look like? hand trimmed, or stock? Or stock with 
extra rules added?
What is EXTERNAL_NET declared as?
Does HOME_NET consist of multiple comma delimited ranges? If so, how many 
ranges?
What KIND of traffic dominates the traffic going past snort? Details here 
matter more than you probably suspect.
What version of snort?
Are you using PCRE (2.1 = yes, 2.0 depends if you patch it in or not)?
Are you using flexresp?
What preprocessors are you using?
What kind of output logging?
What's the short-term maximum datarate (not the average rate limited by 
your internet connection)?
What kind of CPU?
How much ram?
What kind of disk system?
What kind of NIC card?
What approximate percentage of cpu and disk IO are consumed by non-snort 
processes?






More information about the Snort-users mailing list