[Snort-users] Snort's Processing Rate

Matt Kettler mkettler at ...4108...
Tue Apr 13 14:36:09 EDT 2004


At 01:53 PM 4/13/2004, Sherif Yusuf wrote:
>I hust need to know the maximum (maybe published, doesnt have to be) 
>packet processing rate while using Snort. If I could get a reference to 
>where this number is stated that would be great.

I don't think there is any single maximum packet processing rate. But for 
starters, the sourcefire NS3000 (a VERY highly tuned snort sensor with lots 
of add-on utilities, but still runs the same snort code at it's core) is 
rated for wire-speed gigabit ethernet with 0% loss.

http://www.sourcefire.com/products/sensor.html

Of course, I assume that spec is based on full-sized ethernet frames. I'd 
be surprised (and impressed!) if they could keep up with gigabit ethernet 
saturated with 64byte packets (even most gigabit firewalls can't keep up 
with tiny packets at wire-speed). However, such a network load is highly 
unrealistic.

I don't know of any efforts offhand to make snort run on 10gb/sec ethernet.

Aside from "interface wire rate" as a hard maximum, Snort's maximum 
processing rate is going to be a function of all of these variables (and 
probably some I missed):

         CPU speed and architecture
         IO bus architecture to network interface
         IO bus architecture to system RAM
         Available RAM (ie: are you paging? how much is used for disk 
caching? etc)
         system load
         variety of PCAP interface
         OS kernel (vm, scheduler, etc)
         ruleset complexity
         system performance tuning
         rate of alert
         IO speed to logging mechanism








More information about the Snort-users mailing list