[Snort-users] throughput of snort usually(and with specific rules)

d a xstoneheartx at ...131...
Tue Apr 13 03:33:32 EDT 2010


Hi, everybody

In a security project I want to make an IDS/IPS System based on snort but I have to satisfy employer and investors for my choice about Snort.

One of the problem that I have is about the input traffic rate/throughput that snort can support and analyze with a good performance(Low CPU usage and packet drop).I know that it depends on a number of factors like the configuration of the system and which rules we are running as well as the underlying hardware and the OS configuration, But I want to know the normal range of its throughput.
Some where I read somebody wants to use it for 1-2 gb/s rate of traffic. Dose snort really works for xgb/s rate of input traffic without so much drop and high CPU usage?

In a book about snort that published in 2003(Intrusion detection with Snort By Jack Kozio ) that I think it's talking about snort-2.2  was wrote that snort works for 100Mb correctly and starts to loss packets in 200-300 Mb and can not run at traffic level higher than 500Mb. Does any body know about these numbers for snort-2.8.5?


The specification of my system that snort sensor is running on:
CPU : Intel core 2 duo 2.8GHz
RAM: 2-4 gig DDR2 KINGMAX
Hard:300 gig maxtor SATA
3 Ethernet Port 10/100

The network that I want to use system for includes more than 150 systems with a traffic rate of 200 Mb/s or more.

and the snort configuration that I need includes:

enabling  preprocessors , and enabling rules to detect web & CGI attacks, Phishing attacks , malwares and spywares and some others.


I want to use snort with out any accelerators. If I had to use one, is there any open-Source accelerator for snort?


Another question that I have is about OS.I'm using Suse10.3, is it suitable for our security goals  or other OS like cent-OS,open-BSD, .. are more secure?


Thanks a lot for your helps.


      




More information about the Snort-users mailing list