[Snort-users] high packet loss - low throughput
jesler at ...1935...
Sun Jul 21 08:03:59 EDT 2013
Yes, performance that low seems incorrect. I don't think it's Snort with numbers that low.
Sent from my iPad
On Jul 21, 2013, at 6:16 AM, Michal Purzynski <michal at ...16244...> wrote:
> On 7/21/13 2:22 AM, Joel Esler wrote:
>> On Jul 20, 2013, at 6:46 PM, Michal Purzynski <michal at ...16244...> wrote:
>>> The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
>>> it actualy hard to believe as the "empty" snort used to do around
>>> 250-300Mbit/sec per core here. Empty as in no rules at all.
>> Even more. But we have a dedicated appliance specifically tuned with special drivers to run Snort very fast. You are doing this, I assume on commodity hardware, on a stock OS, running many things (Security Onion)
> Not really, SO is so wonderful you can enable and disable functionality on demand, and so I've done. The box is running snort and netsniff-ng only, has around 20 processes of snort (24 execution threads with HT enabled).
> Still - 45Mbit/sec per instance with packet loss is disappointing. And 100 would be too.
> Also, I'm running Intel and pf_ring, can try a Myricom (and not pf_ring). I won't try anything more expensive like FPGA accelerated cards, since I find them too limited and having no real advantage over Myricom and a lot of downsides.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users