[Snort-users] Snort as Gigabit Sensor

Bennett Todd bet at ...6163...
Thu Jul 24 12:37:25 EDT 2003

2003-07-24T14:43:39 Banniza Robert:
> Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
> sensor?

Not this year.

Expect to hit a flat out impenetrable wall at c. 300Mbps for a
PCI-bus NIC, possibly as much as 550-600 for PCIx. These limits seem
to show up consistently, I've heard 'em from a lot of different

To approach those speeds you should

 - run on unnumbered interface in promisc --- you don't want the
   OS's IP stack analyzing the traffic (hence TCP tuning won't help)

 - use snort 2

 - give it plenty of ram (512MB is a good idea, cheap as ram is go
   ahead and give it a GB for future-proofing)

 - get the ring-buffered libpcap for Linux

 - go through the preprocessors, seeing which ones you can do

 - tune the config --- this is not optional if you want to hit
   multiple-hundred-mbps performance realms. Dial out false
   positives, get the alarm-generation rate down to something
   reasonable. Adjust the *_NET, *_SERVERS, *_PORTS tuning vars in
   snort.conf. #-out rules files you're not actively interested in.
   Examine the individual rules in the files you're including and
   eliminate any that don't apply to platforms you use.

Once you've gone down that road, a modern hot box ought to be able
to snort at bus speed limit (c. 300/550 Mbps as mentioned above).
Next year's hot box with a faster interface to the NIC may well be
able to do an honest Gbps. Maybe. I'll believe it when I see it:-).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030724/fe64d1e5/attachment.sig>

More information about the Snort-users mailing list