[Snort-users] Approximate bandwidth performance running Snort

Matt Kettler mkettler at ...4108...
Fri Apr 22 10:39:53 EDT 2005


Tristan RHODES wrote:

>Assume I buy a new dual-processor (Xeon or Opteron) server with 2 GB of
>RAM and SCSI disks.  I plan on installing multiple gigabit network
>cards.
>
>How much bandwidth can I expect a default installation of Snort to
>handle?  1 Gbps?  2 Gbps?  More?  Less?
>
>Thanks,
>
I'd venture a guess at somewhere between 500mbps and 1g, however that's
a wild guess and making a lot of assumptions. I'll also make the
disclaimer that I've never tried to set up a high-performance snort box
before, so take my comments here as being highly anecdotal.


In general IDS performance is a fairly ambiguous thing to measure, as
there are a LOT of factors that matter just as much, if not more than
CPU/disk/ram.

Traffic type matters. Blasting packets by on some oddball port that only
the "any" port rules are going to inspect is a lot different than
blasting http traffic by that the http_inspect preprocessor is going to
look at, followed by a large number of content, uricontent and pcre
rules. 1Gbps worth of large packets is much easier to handle than 1Gbps
worth of tiny packets.

There's also a large impact from your surrounding software. OS, pcap
libraries, etc can have a truly huge impact on snort performance. There
will be a large performance difference between a Windows box with
winpcap compared with a *nix box using Phil wood's ring buffer pcap
library on a kernel that's tuned for low latency with various preemption
patches. The ring buffered pcap library alone makes a huge impact. I
haven't seen any numbers, but I would not be surprised to hear the
impact was in the +25% to +50% range in terms of peak data rate before
packet drop compared to a classic pcap library.

I doubt you'll break into the 2gig range without some packet loss. In
order to break into the 2-8 gig range, the sourcefire IS5800 is using
hardware asics to accelerate their system. That gives me the impression
that hitting 2gig is hard to do with conventional hardware.

AFAIK the IS3000 doesn't use any custom hardware, just extensive tuning
and customization. It manages to get 0% drop rate at 1Gbps. IMO, if you
can match what the SF guys can do with their extensive tuning and
intimate knowledge of snort, then you're doing very well.








More information about the Snort-users mailing list