[Snort-users] Snort as Gigabit Sensor
bet at ...6163...
Thu Jul 24 12:37:25 EDT 2003
2003-07-24T14:43:39 Banniza Robert:
> Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
Not this year.
Expect to hit a flat out impenetrable wall at c. 300Mbps for a
PCI-bus NIC, possibly as much as 550-600 for PCIx. These limits seem
to show up consistently, I've heard 'em from a lot of different
To approach those speeds you should
- run on unnumbered interface in promisc --- you don't want the
OS's IP stack analyzing the traffic (hence TCP tuning won't help)
- use snort 2
- give it plenty of ram (512MB is a good idea, cheap as ram is go
ahead and give it a GB for future-proofing)
- get the ring-buffered libpcap for Linux
- go through the preprocessors, seeing which ones you can do
- tune the config --- this is not optional if you want to hit
multiple-hundred-mbps performance realms. Dial out false
positives, get the alarm-generation rate down to something
reasonable. Adjust the *_NET, *_SERVERS, *_PORTS tuning vars in
snort.conf. #-out rules files you're not actively interested in.
Examine the individual rules in the files you're including and
eliminate any that don't apply to platforms you use.
Once you've gone down that road, a modern hot box ought to be able
to snort at bus speed limit (c. 300/550 Mbps as mentioned above).
Next year's hot box with a faster interface to the NIC may well be
able to do an honest Gbps. Maybe. I'll believe it when I see it:-).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users