[Snort-users] Who can explain this?where is the bottleneck?

rocky rocky_maja at ...125...
Fri May 16 08:19:05 EDT 2003

I did some simple tests on snort on-line detection capacity yesterday. 
I check a tcpdump data with only 37 kinds of attacks.First, I turn off all useless precessors, indeed only frag2 and telnet remain opening.Snort2.0 check this data "off-line" with only 37 rules. There find about 7700 events in about 5 seconds. Then I inject the tcpdump data by tcpreplay from my traffic producer and detect the traffic on my sensor. 
Here are the detected events with different traffic rates:
150M   3522
100M   3791
80M    3851
50M    3941
20M    4163
10M    4271

I can not understand why snort can not find most events even in very low speed.
I think it may be problem of my machines.

My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC.
My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC.
Where is the bottleneck?
How can I to detect all the events on-line?

Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030516/1cbc340b/attachment.html>

More information about the Snort-users mailing list