[Snort-users] "Making Snort go fast under Linux..."

Mark W. Jeanmougin mark.jeanmougin at ...14628...
Thu Feb 25 08:25:31 EST 2010


This is something that I struggle with as well.

I've been using just apache / wget and nfsd / dd as ways to generate 
large loads.  The HUGE problem with this is that it is very 
uninteresting traffic.  Using the above methods on my new workstations, 
I can saturate a 10 Gbit / sec link consistently.

I do have a small library of malicious pcaps.  So, I'll use the previous 
methods to generate a "background load" and then replay the pcaps on 
another interface.

Finally, I have pcaps covering a few hours of "normal" network activity 
from the locations where we have / will have IPS sensors.  So, I'll 
replay those to see what gets caught.  The problem there is that the 
contents of those pcaps are unknown; I don't know how much malicious 
traffic is in there, nor what kinds of malice.

I'm really curious to see what others are doing in this world.  I think 
this is a problem that many of us face.



On 02/24/2010 11:40 AM, Randal T. Rioux wrote:
> You mentioned performance may be enhanced by using different
> compilers/flags. I'm going to run some tests using different setups (OS,
> compiler collection, etc). Can anybody suggest an ideal way to beat the
> Hell out of a Snort box?
> I'd like to analyze as large a dataset as possible containing a large
> amount of detectable malware/sig triggers. Something that can sustain 1Gb
> of traffic for approx. five minutes. I have the storage, systems and
> bandwidth in my lab to do fiber, copper, multiple platforms and operating
> systems.

More information about the Snort-users mailing list