[Snort-users] Approximate bandwidth performance running Snort

Arseneault, Thomas (HQP) thomas.arseneault at ...13070...
Fri Apr 22 11:00:59 EDT 2005


There was a thread a little while ago (check the archives) in which it
was also determined that not all hardware is created equal. The same
specs on boards by different manufactures made a big difference. I don't
recall if a "best of breed" was chosen but the thread should help
figuring out how to pick the best hardware.

Tom Arseneault
Security Engineer
Robert Half International 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt
Kettler
Sent: Friday, April 22, 2005 10:39 AM
To: Tristan RHODES
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Approximate bandwidth performance running
Snort

Tristan RHODES wrote:

>Assume I buy a new dual-processor (Xeon or Opteron) server with 2 GB of

>RAM and SCSI disks.  I plan on installing multiple gigabit network 
>cards.
>
>How much bandwidth can I expect a default installation of Snort to 
>handle?  1 Gbps?  2 Gbps?  More?  Less?
>
>Thanks,
>
I'd venture a guess at somewhere between 500mbps and 1g, however that's
a wild guess and making a lot of assumptions. I'll also make the
disclaimer that I've never tried to set up a high-performance snort box
before, so take my comments here as being highly anecdotal.


In general IDS performance is a fairly ambiguous thing to measure, as
there are a LOT of factors that matter just as much, if not more than
CPU/disk/ram.

Traffic type matters. Blasting packets by on some oddball port that only
the "any" port rules are going to inspect is a lot different than
blasting http traffic by that the http_inspect preprocessor is going to
look at, followed by a large number of content, uricontent and pcre
rules. 1Gbps worth of large packets is much easier to handle than 1Gbps
worth of tiny packets.

There's also a large impact from your surrounding software. OS, pcap
libraries, etc can have a truly huge impact on snort performance. There
will be a large performance difference between a Windows box with
winpcap compared with a *nix box using Phil wood's ring buffer pcap
library on a kernel that's tuned for low latency with various preemption
patches. The ring buffered pcap library alone makes a huge impact. I
haven't seen any numbers, but I would not be surprised to hear the
impact was in the +25% to +50% range in terms of peak data rate before
packet drop compared to a classic pcap library.

I doubt you'll break into the 2gig range without some packet loss. In
order to break into the 2-8 gig range, the sourcefire IS5800 is using
hardware asics to accelerate their system. That gives me the impression
that hitting 2gig is hard to do with conventional hardware.

AFAIK the IS3000 doesn't use any custom hardware, just extensive tuning
and customization. It manages to get 0% drop rate at 1Gbps. IMO, if you
can match what the SF guys can do with their extensive tuning and
intimate knowledge of snort, then you're doing very well.






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid
reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list