From: pieter c. <pi...@co...> - 2003-07-28 16:19:23
|
We have done some performance tests with snort-inline recently. The paper is available on our website at http://countersnipe.com/downloads/case_studies/ The good news is that we seem to able to squeeze about 500 Mbit/sec + out of the box with Dual Xeon processors. Kudos to the Snort and Inline patch coders! Pieter On Mon, 2003-07-28 at 05:33, Jed Haile wrote: > I know of snort-inline being used with a large (carefully tuned) > ruleset on a 1.2 ghz pentium 3 on a T-3 with a large number of > concurrent users (maybe a couple thousand). It works very well there. > That is the largest load I know of an inline snort box handling. I also > know of inline snort being used in front of some very busy web servers > with very little trouble. I have also experimented with 100 megabit > loads, and it looked good, but the test was not true traffic. > > It will depend largely on how well your box is configured, how many > rules of what sort, what sort of output logging you are doing, and how > many users in/out of the network you will be handling. Lots of > variables. > > Hope this is some help... > > Jed > > On Sunday, July 27, 2003, at 02:21 PM, Brian Toovey wrote: > > > Hey Rob (or anyone) > > > > Do you have any stats on inline's maximum throughput? I am sure > > its > > dependent upon how many rulesets you have, but I dont have a high > > speed network to test on > > > > Brian > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> hmm.. Looks like tcp is doing its job by resending packets that are > >> lost > >> :(. Can you give additional information about your system? > >> > >> uname -a > >> snort_inline configuration > >> how are you sending packets to snort_inline > >> what other rules are you using > >> etc. > >> > >> Thanks, > >> > >> Rob > >> > >> On Sun, 27 Jul 2003, josh wrote: > >> > >>> Hi List, > >>> I want to drop all mail with a certain pattern of text, say > >>> "abcdefg". I > >>> am aware that this may not be the best way to filter mail, but for my > >>> purposes this is acceptable. I put the following rule in > >>> /etc/snort/rules/local.rules > >>> > >>> drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Spam mail"; > >>> content:"abcdefg"; > >>> nocase; flow:to_server,established; classtype:misc-activity; rev:1 ;) > >>> > >>> (Note: the actual rule is one line) > >>> > >>> When I send a message with the text "abcdefg" I see the dropped > >>> packet > >>> in /var/log/snort/alerts. The message though still gets sent with the > >>> "abcdefg" text in the message body. Messages with the "abcdefg" > >>> content > >>> in the body take several minutes to be sent while regular message are > >>> sent immidiately. I am running snort_inline-2.0.0-1. The mail server > >>> is > >>> Sendmail 8.12.9. Does anybody know why the message is being sent? > >>> > >>> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP 6.5.8 > >> Comment: Made with pgp4pine 1.76 > >> > >> iQA/AwUBPyQgufnAyY+9KLjdEQK21wCfRycao8S8rs2VDS35AFdKGXkgxtMAn3MD > >> Oqev0t4TH+EKCQlvvu2t8wQf > >> =tsbl > >> -----END PGP SIGNATURE----- > >> > >> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including > >> Data Reports, E-commerce, Portals, and Forums are available now. > >> Download today and enter to win an XBOX or Visual Studio .NET. > >> http://aspnet.click-url.com/go/psa00100003ave/ > >> direct;at.aspnet_072303_01/01 > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > > > Brian Toovey > > Zion Network Security > > 3223 NE 40th St > > Ft Lauderdale, FL 33308 > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > Data Reports, E-commerce, Portals, and Forums are available now. > > Download today and enter to win an XBOX or Visual Studio .NET. > > http://aspnet.click-url.com/go/psa00100003ave/ > > direct;at.aspnet_072303_01/01 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen CounterSnipe Technologies www.countersnipe.com Highview House Charles Square Bracknell Berskhire RG12 1DF Tel: +44(0) 1344 390 530 Fax: +44(0) 1344 390 700 Mobile: +44 (0) 776 6656 924 email: pi...@co... |