[Snort-users] "Making Snort go fast under Linux..."
Mark W. Jeanmougin
mark.jeanmougin at ...14628...
Thu Feb 25 08:25:31 EST 2010
This is something that I struggle with as well.
I've been using just apache / wget and nfsd / dd as ways to generate
large loads. The HUGE problem with this is that it is very
uninteresting traffic. Using the above methods on my new workstations,
I can saturate a 10 Gbit / sec link consistently.
I do have a small library of malicious pcaps. So, I'll use the previous
methods to generate a "background load" and then replay the pcaps on
Finally, I have pcaps covering a few hours of "normal" network activity
from the locations where we have / will have IPS sensors. So, I'll
replay those to see what gets caught. The problem there is that the
contents of those pcaps are unknown; I don't know how much malicious
traffic is in there, nor what kinds of malice.
I'm really curious to see what others are doing in this world. I think
this is a problem that many of us face.
On 02/24/2010 11:40 AM, Randal T. Rioux wrote:
> You mentioned performance may be enhanced by using different
> compilers/flags. I'm going to run some tests using different setups (OS,
> compiler collection, etc). Can anybody suggest an ideal way to beat the
> Hell out of a Snort box?
> I'd like to analyze as large a dataset as possible containing a large
> amount of detectable malware/sig triggers. Something that can sustain 1Gb
> of traffic for approx. five minutes. I have the storage, systems and
> bandwidth in my lab to do fiber, copper, multiple platforms and operating
More information about the Snort-users