[Snort-users] Who can explain this?where is the bottleneck?
gricardo at ...8098...
Fri May 16 08:35:11 EDT 2003
What output does IOSTAT or SAR give you as when you have your IDS system
in full operation?
From: rocky [mailto:rocky_maja at ...125...]
Sent: Friday, May 16, 2003 11:16 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Who can explain this?where is the bottleneck?
I did some simple tests on snort on-line detection capacity yesterday.
I check a tcpdump data with only 37 kinds of attacks.First, I turn off
all useless precessors, indeed only frag2 and telnet remain
opening.Snort2.0 check this data "off-line" with only 37 rules. There
find about 7700 events in about 5 seconds. Then I inject the tcpdump
data by tcpreplay from my traffic producer and detect the traffic on my
Here are the detected events with different traffic rates:
I can not understand why snort can not find most events even in very low
I think it may be problem of my machines.
My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC.
My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC.
Where is the bottleneck?
How can I to detect all the events on-line?
Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users