[Snort-users] High Speed Network Cards + rules?

Matt Kettler mkettler at ...4108...
Mon May 24 13:22:03 EDT 2004

At 02:18 PM 5/24/2004, Adriel T. Desautels wrote:
>It is my understanding that most network cards at 50% capacity begin to
>miss packets and create a false negatives condition (IDS evasion technique).
>Is anyone aware of any cards that exist that collect 100% of the traffic
>with 0% false negatives due to this condition?  If not, what is the next
>best thing?

So what kind of "high speed" are we talking here? gigabit? 100mbit?

And technically speaking, it's usually not the NIC that misses the packets. 
However, the CPU overhead from the NIC can cause snort to not have enough 
CPU time to get to them.

Some general suggestions to improve performance on sniffers using gig-e 

         1) Use a on-motherboard CSA based setup, or 64bit PCI bus, or 
PCI-X. A classic 32bit/33mhz PCI bus can just barely transfer 1Gbit/sec 
with nothing else going on and no overhead.
         2) Look at the driver source code for the NICs you're considering 
for your OS. The source often contains hints if a particular card is 
inefficient or not.
         3) Be sure to use a high performance PCAP library like the MMAPed 
IO one from Phil Wood.
         4) Make sure your memory subsystem is fast. Make sure you're using 
the fastest RAM that your chipset can handle.
         5) Make sure you're not doing anything silly like ascii-mode 
packet logging. Log in SQL, or tcpdump format.

Tom's hardware also did a test of several "on-motherboard" gig-e 
implementations from which we can glean some useful information:


Be sure to look at both thruput and CPU numbers.. The intel chipsets using 
CSA clearly won overall. Consistently first or second place thruput, and 
the low CPU usage. The Realtek chip also did well in one performance test, 
but it's CPU loading was also high (70%).

You need to keep in mind that these tests were done on windows, but it does 
give you some basis of comparison.

Also keep in mind that most chips other than the CSA setup are going to be 
using an on-motherboard PCI setup, and are probably connected at 
32bit/33mhz. (Tom confirms this for the Broadcom, and I can confirm the 
realtek chip on the board is 32bit only). If nothing else, the performance 
difference of the CSA chip suggests that 32bit/33mhz pci just can't keep up.

Even comparing apples-to-apples using only PCI implementations, the Intel 
PCI plug-in card looks better than the broadcom, 3com or realtek here.

>         Secondly, does anyone know of any other snort rule repositories 
> aside from
>those presented at snort.org?

I for one do not, other than the snort-sigs mailing list, but perhaps 
someone else does.

More information about the Snort-users mailing list