[Snort-users] Snort on-line detection rate?
erek at ...950...
Wed May 14 08:31:12 EDT 2003
On Wed, 14 May 2003, [gb2312] 方 磊 wrote:
> I am a rookie in snort. I want to test the on-line detection capacity of
> snort.I have twp computers connected directly. The traffic producer run
> a tcpreplay with a tcpdump data on rate 100Mbps at first. But I find
> that snort1.9.1 drop most packets with 1310 rules. Only when I change
> the rate to about 5Mbps, do snort can detect most packets. My snort
> sensor runs on Intel 2.4G 512MB RAM and Linux 9.0. What is the
> approximate rate of snort's on-line detection capacity with all its
A few points:
* Linux 9? No such animal. Do you mean RedHat 9? Remember RedHat !=
* Use Snort 2.0 instead of 1.9.1. The detection engine has changed and
it's much quicker now.
* Never, Never, Never, EVER use all the rules. For a _real_ test, you
should tune your ruleset to a smaller set of rules, the same way you would
in a production setup. The default rules aren't there so they can all be
turned on, they are there to give a 'default' set from which you can pick
and choose what you need, or modify to fit your network.
* What kind of NIC do you have in your sensor? Is your driver current?
Bad drivers can be a major reason of dropped packets. Can you send
100mbs without getting dropped packets from the OS itself?
* Most networks aren't going to have 100mbs of sustained traffic. You
have to keep in mind the 'ethernet knee'  goes from (roughly) 25%-40%.
At that point, your retransmissions start to degrade the performance of
the network. Realistic loads on a 100mbs net would be more from 25-40mbs
with that in mind.
* How are you running Snort? The command line switches and the contents
of the .conf file will make a large impact upon how fast it can detect and
* What kind of an I/O subsystem are you on? IDE? EIDE? SCSI? IDE is
the slower, while SCSI is the faster of those.
Here's something to consider: There are people on (and off) this list who
are using Snort in GigE situations--With little or no dropped packets.
Anyone in that group care to comment?
Snort is a quick little piggy--You just can't expect him to be quick if
you overfeed (too many rules) him! :)
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users