[Snort-users] Snort on-line detection rate?

Erek Adams erek at ...950...
Wed May 14 08:31:12 EDT 2003


On Wed, 14 May 2003, [gb2312] 方 磊 wrote:

> I am a rookie in snort. I want to test the on-line detection capacity of
> snort.I have twp computers connected directly. The traffic producer run
> a tcpreplay with a tcpdump data on rate 100Mbps at first. But I find
> that snort1.9.1 drop most packets with 1310 rules. Only when I change
> the rate to about 5Mbps, do snort can detect most packets. My snort
> sensor runs on Intel 2.4G 512MB RAM and Linux 9.0. What is the
> approximate rate of snort's on-line detection capacity with all its
> ruleset?

A few points:

*  Linux 9?  No such animal.  Do you mean RedHat 9?  Remember RedHat !=
Linux....

*  Use Snort 2.0 instead of 1.9.1.  The detection engine has changed and
it's much quicker now.

*  Never, Never, Never, EVER use all the rules.  For a _real_ test, you
should tune your ruleset to a smaller set of rules, the same way you would
in a production setup.  The default rules aren't there so they can all be
turned on, they are there to give a 'default' set from which you can pick
and choose what you need, or modify to fit your network.

*  What kind of NIC do you have in your sensor?  Is your driver current?
Bad drivers can be a major reason of dropped packets.  Can you send
100mbs without getting dropped packets from the OS itself?

*  Most networks aren't going to have 100mbs of sustained traffic.  You
have to keep in mind the 'ethernet knee' [0] goes from (roughly) 25%-40%.
At that point, your retransmissions start to degrade the performance of
the network.  Realistic loads on a 100mbs net would be more from 25-40mbs
with that in mind.

*  How are you running Snort?  The command line switches and the contents
of the .conf file will make a large impact upon how fast it can detect and
alert.

*  What kind of an I/O subsystem are you on?  IDE?  EIDE?  SCSI?  IDE is
the slower, while SCSI is the faster of those.


Here's something to consider:  There are people on (and off) this list who
are using Snort in GigE situations--With little or no dropped packets.
Anyone in that group care to comment?

Snort is a quick little piggy--You just can't expect him to be quick if
you overfeed (too many rules) him!  :)

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=ethernet+knee




More information about the Snort-users mailing list