[Snort-users] High Speed Network Cards + rules?
mkettler at ...4108...
Mon May 24 13:22:03 EDT 2004
At 02:18 PM 5/24/2004, Adriel T. Desautels wrote:
>It is my understanding that most network cards at 50% capacity begin to
>miss packets and create a false negatives condition (IDS evasion technique).
>Is anyone aware of any cards that exist that collect 100% of the traffic
>with 0% false negatives due to this condition? If not, what is the next
So what kind of "high speed" are we talking here? gigabit? 100mbit?
And technically speaking, it's usually not the NIC that misses the packets.
However, the CPU overhead from the NIC can cause snort to not have enough
CPU time to get to them.
Some general suggestions to improve performance on sniffers using gig-e
1) Use a on-motherboard CSA based setup, or 64bit PCI bus, or
PCI-X. A classic 32bit/33mhz PCI bus can just barely transfer 1Gbit/sec
with nothing else going on and no overhead.
2) Look at the driver source code for the NICs you're considering
for your OS. The source often contains hints if a particular card is
inefficient or not.
3) Be sure to use a high performance PCAP library like the MMAPed
IO one from Phil Wood.
4) Make sure your memory subsystem is fast. Make sure you're using
the fastest RAM that your chipset can handle.
5) Make sure you're not doing anything silly like ascii-mode
packet logging. Log in SQL, or tcpdump format.
Tom's hardware also did a test of several "on-motherboard" gig-e
implementations from which we can glean some useful information:
Be sure to look at both thruput and CPU numbers.. The intel chipsets using
CSA clearly won overall. Consistently first or second place thruput, and
the low CPU usage. The Realtek chip also did well in one performance test,
but it's CPU loading was also high (70%).
You need to keep in mind that these tests were done on windows, but it does
give you some basis of comparison.
Also keep in mind that most chips other than the CSA setup are going to be
using an on-motherboard PCI setup, and are probably connected at
32bit/33mhz. (Tom confirms this for the Broadcom, and I can confirm the
realtek chip on the board is 32bit only). If nothing else, the performance
difference of the CSA chip suggests that 32bit/33mhz pci just can't keep up.
Even comparing apples-to-apples using only PCI implementations, the Intel
PCI plug-in card looks better than the broadcom, 3com or realtek here.
> Secondly, does anyone know of any other snort rule repositories
> aside from
>those presented at snort.org?
I for one do not, other than the snort-sigs mailing list, but perhaps
someone else does.
More information about the Snort-users