[Snort-users] "Making Snort go fast under Linux..."

beenph beenph at ...11827...
Wed Feb 24 12:32:24 EST 2010


Personally i have run into some odd issues with tcpreplay in the past
[Beside stress testing of network interface] if you have "home made
pcap" just feed the pcap directly to snort.

You might get more realistic results overall.

-elz


2010/2/24 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>:
> Randal T. Rioux wrote:
>> On Wed, February 24, 2010 9:02 am, Edward Bjarte Fjellskål wrote:
>>> During the years, I have tried to gather some notes
>>> on what can help "Snort go faster".
>>>
>>> I summed it up in a blog post:
>>> http://www.gamelinux.org/?p=81
>>>
>>> If anyone here has any comments/improvements/tips etc,
>>> I would be happy to hear about them, and include them
>>> in my post for future reference.
>>
>> Nice job, some really great pointers. Gave me an idea.
>
> Thanks :)
>
>> You mentioned performance may be enhanced by using different
>> compilers/flags. I'm going to run some tests using different setups (OS,
>> compiler collection, etc). Can anybody suggest an ideal way to beat the
>> Hell out of a Snort box?
>>
>> I'd like to analyze as large a dataset as possible containing a large
>> amount of detectable malware/sig triggers. Something that can sustain 1Gb
>> of traffic for approx. five minutes. I have the storage, systems and
>> bandwidth in my lab to do fiber, copper, multiple platforms and operating
>> systems.
>
> First thing that comes to mind:
> http://www.breakingpointsystems.com/
> Though I have no experience with the product, Im just aware of it :)
>
> When I do testing, I usually have home made pcaps, and replay them
> with tcpreplay and/or even daemonlogger.
>
> tcpreplay have some nice features on how fast you want to replay
> the traffic.
>
>>
>> This will be fun.
>
> Enjoy :)
>
>> Thanks!
>> Randy
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list