[Snort-users] CPU and RAM planning tool

Sallee, Stephen (Jake) Jake.Sallee at ...15646...
Sun Mar 10 14:00:21 EDT 2013


>> As far as I know, no tool exists like that, and yes, it would be very useful, and it wouldn't be hard and fast, it would be a very loose estimate.

Thats a fair point, do you think it may be possible to get with in, say +/- 20% of reality?

A true test of performance can only be done with the actual hardware, that much is obvious.  But, if it is possible to get within a statistical margin of reality that would be great.

Attempting to get perfect numbers would be a very daunting task.  Bus speeds, bus architecture, CPU instruction sets ... compilation fags, gcc version ... aaaaand my head almost exploded just thinking about it.  And thats just for the CPU  <( ' o ')>



Jake Sallee

Godfather of Bandwidth

Network Engineer

University of Mary Hardin-Baylor



900 College St.

Belton, Texas

76513



Fone: 254-295-4658

Phax: 254-295-4221






From: Joel Esler [jesler at ...1935...]

Sent: Sunday, March 10, 2013 8:52 AM

To: Sallee, Stephen (Jake)

Cc: snort-users at lists.sourceforge.net

Subject: Re: [Snort-users] CPU and RAM planning tool







On Mar 9, 2013, at 11:36 PM, "Sallee, Stephen (Jake)" <Jake.Sallee at ...15648......> wrote:

Does
 a tool exist that one can use to size the CPU and RAM requirements for a given usage scenario?

I
 understand that the amount of both CPU and RAM is very dependent on a few factors such as:

Number
 of rules to execute
The
 complexity of the rules used
Link
 utilization
Processor
 speed
...
 and several others

But
 it seems that given a few inputs one could make a fairly accurate assessment of the necessary hardware if only a few variables were known.

For
 example:  What kind of server would I need to inspect 100Mb/sec of traffic using a minimal rule set? What about the HW I would need to do the same with the default rule set. ( I know, tuning your snort server is VERY important.)

If
 one could measure how many CPU cycles it takes to run a single packet through the minimal or default rule set then the rest of this calculation becomes simple in so far as the CPU is concerned.

Memory
 is so cheap these days that it you can just throw memory at the problem until the problem goes away, unless you are virtualizing then memory/CPU allocation is the name of the game.

If
 no tool is available I would be interested in developing one if the community thinks it is a useful endeavor.

I
 am new to snort, and a tool like this would be VERY helpful to me as a newcomer.  What do you guys think?



As far as I know, no tool exists like that, and yes, it would be very useful, and it wouldn't be hard and fast, it would be a very loose estimate.



--

Joel Esler

Senior Research Engineer, VRT

OpenSource Community Manager

Sourcefire







More information about the Snort-users mailing list