[Snort-users] Snort performance

Bob Walder bwalder at ...1926...
Tue Mar 29 02:40:35 EST 2005


I agree - our last test on open source Snort was actually on 2.x (on
standard off-the-shelf server-class hardware), not 1.8 - my apologies

And yes, we DID find that 2.x was MUCH faster than 1.x  ;o)

Bob


On 29/3/05 12:25 pm, "Milani Paolo" <Paolo.Milani at ...3258...> wrote:

> 
> Unfortunately results for Snort 1.8 are unreliable since post 2.0 versions are
> MUCH faster (that's when the whole multi-pattern-matching algorithms thing
> came in).
> 
> Results for Sourcefire IS3000 are not directly applicable to Snort because, as
> you mention in your report, the Sourcefire sensor uses a custom packet capture
> driver instead of pcap library. A custom driver gives MAJOR performance
> increase, results for vanilla snort are not going to be anywhere near that
> good.
> 
> my 2 cents,
> Paolo Milani
> 
>> Subject: Re: [Snort-users] Snort performance
>> From: Bob Walder <bwalder at ...1926...>
>> To: Ramkumar Chinchani <rc27 at ...13217...>,
>> Snort-Users Mailing List <snort-users at lists.sourceforge.net>
>> 
>> We looked at open source Snort some time ago (back in the V1.8 days) and
>> that appears in one of our earlier reports.
>> 
>> However, our latest Gigabit IDS report includes detailed performance tests
>> of the Sourcefire IS3000 which is, of course, based on Snort
>> (www.nss.co.uk/gigabitids).
>> 
>> Bob Walder
>> The NSS Group
>> 
>> 
>> 
>> On 25/3/05 11:33 pm, "Ramkumar Chinchani" <rc27 at ...13217...> wrote:
>> 
>>> Hi all,
>>> 
>>> I am looking for references/pointers to any documented measurements on
>>> Snort's performance overheads, latency and such.
>>> 
>>> Thanks,
>>> 
>>> _R
>>> 
> 
> 
> Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.
> 
> ====================================================================
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please send an e_mail to
> MailAdmin at ...13220... Thank you
> ====================================================================
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list