[Snort-users] Considering using snort

Guy wyldfury at ...11827...
Fri Aug 21 11:00:18 EDT 2009

Hi Mark,

2009/8/21 Mark W. Jeanmougin <mark.jeanmougin at ...14628...>:
> Guy,
> It depends on traffic load, application load, hardware spec's, acceptable
> overhead, rule set, and all kinds of things that I probably haven't even
> thought about.
> But, I think you've answered the question in you post.  If you've been
> running snort on your load balancer, and you're basically happy with
> performance, then it sounds like the performance impact is acceptable.

On the load balancers it's definitely acceptable. It's our mail
gateways that I'm hesitant to experiment on.

They process about 100000 connections/messages each every day. They're
commodity boxes with single CPU quad cores with 2 disks in RAID 1 and
8GB RAM. At the moment the load average on top seldom goes above 1.

I'd pretty much like to know whether Snort's overhead tends to be
fairly consistent across difference types of network traffic. If it
does, then there's little chance of it being a problem on the mail
gateways and I'll give it go.

Don't just do something...sit there!

More information about the Snort-users mailing list