[Snort-users] throughput of snort usually(and with specific rules)
xstoneheartx at ...131...
Tue Apr 13 14:26:26 EDT 2010
Thanks for your attention.
Sorry for that mismatch. I used Ethernet 10/100 because I thought that the traffic rate for snort should be under 100Mb to works perfectly, But actually I want to use Ethernet 10/100/1000 for my need of 200Mb traffic rate if snort can support it. I want to use my box to protect network of a place like university.
I want to use snort for both IDS and IPS modes.
What can I do to detect phishing attacks in my IDS/IPS box. Can use of ClamAv with snort be helpful?
Any help will be appreciated.
--- On Tue, 4/13/10, rmkml <rmkml at ...953...> wrote:
> From: rmkml <rmkml at ...953...>
> Subject: Re: [Snort-users] throughput of snort usually(and with specific rules)
> To: "d a" <xstoneheartx at ...131...>
> Cc: rmkml at ...953...
> Date: Tuesday, April 13, 2010, 12:38 PM
> excuse me, you have writted: "3 Ethernet Port 10/100"
> but you have writted: "...with a traffic rate of 200 Mb/s
> or more"
> You have 200Mb/s with 100 network interface?
> another point: you need a ids ? (detection only) or a ips ?
> (inline blocking) because it's more different...
> On Tue, 13 Apr 2010, d a wrote:
> > Hi, everybody
> > In a security project I want to make an IDS/IPS System
> based on snort but I have to satisfy employer and investors
> for my choice about Snort.
> > One of the problem that I have is about the input
> traffic rate/throughput that snort can support and analyze
> with a good performance(Low CPU usage and packet drop).I
> know that it depends on a number of factors like the
> configuration of the system and which rules we are running
> as well as the underlying hardware and the OS configuration,
> But I want to know the normal range of its throughput.
> > Some where I read somebody wants to use it for 1-2
> gb/s rate of traffic. Dose snort really works for xgb/s rate
> of input traffic without so much drop and high CPU usage?
> > In a book about snort that published in 2003(Intrusion
> detection with Snort By Jack Kozio ) that I think it's
> talking about snort-2.2 was wrote that snort works for
> 100Mb correctly and starts to loss packets in 200-300 Mb and
> can not run at traffic level higher than 500Mb. Does any
> body know about these numbers for snort-2.8.5?
> > The specification of my system that snort sensor is
> running on:
> > CPU : Intel core 2 duo 2.8GHz
> > RAM: 2-4 gig DDR2 KINGMAX
> > Hard:300 gig maxtor SATA
> > 3 Ethernet Port 10/100
> > The network that I want to use system for includes
> more than 150 systems with a traffic rate of 200 Mb/s or
> > and the snort configuration that I need includes:
> > enabling preprocessors , and enabling rules to
> detect web & CGI attacks, Phishing attacks , malwares
> and spywares and some others.
> > I want to use snort with out any accelerators. If I
> had to use one, is there any open-Source accelerator for
> > Another question that I have is about OS.I'm using
> Suse10.3, is it suitable for our security goals or
> other OS like cent-OS,open-BSD, .. are more secure?
> > Thanks a lot for your helps.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users