From: pieter c. <pi...@co...> - 2003-07-28 17:18:47
|
Appologies that the previous link asked for authentication. Here is a direct link to the file that requires no authentication. http://countersnipe.com/downloads/case_studies/APD_Performance_eval.pdf Regards, Pieter On Mon, 2003-07-28 at 16:57, pieter claassen wrote: > We have done some performance tests with snort-inline recently. The > paper is available on our website at > http://countersnipe.com/downloads/case_studies/ > > The good news is that we seem to able to squeeze about 500 Mbit/sec + > out of the box with Dual Xeon processors. Kudos to the Snort and > Inline patch coders! > > Pieter > > > On Mon, 2003-07-28 at 05:33, Jed Haile wrote: > > > I know of snort-inline being used with a large (carefully tuned) > > ruleset on a 1.2 ghz pentium 3 on a T-3 with a large number of > > concurrent users (maybe a couple thousand). It works very well there. > > That is the largest load I know of an inline snort box handling. I also > > know of inline snort being used in front of some very busy web servers > > with very little trouble. I have also experimented with 100 megabit > > loads, and it looked good, but the test was not true traffic. > > > > It will depend largely on how well your box is configured, how many > > rules of what sort, what sort of output logging you are doing, and how > > many users in/out of the network you will be handling. Lots of > > variables. > > > > Hope this is some help... > > > > Jed > > > > On Sunday, July 27, 2003, at 02:21 PM, Brian Toovey wrote: > > > > > Hey Rob (or anyone) > > > > > > Do you have any stats on inline's maximum throughput? I am sure > > > its > > > dependent upon how many rulesets you have, but I dont have a high > > > speed network to test on > > > > > > Brian > > > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> hmm.. Looks like tcp is doing its job by resending packets that are > > >> lost > > >> :(. Can you give additional information about your system? > > >> > > >> uname -a > > >> snort_inline configuration > > >> how are you sending packets to snort_inline > > >> what other rules are you using > > >> etc. > > >> > > >> Thanks, > > >> > > >> Rob > > >> > > >> On Sun, 27 Jul 2003, josh wrote: > > >> > > >>> Hi List, > > >>> I want to drop all mail with a certain pattern of text, say > > >>> "abcdefg". I > > >>> am aware that this may not be the best way to filter mail, but for my > > >>> purposes this is acceptable. I put the following rule in > > >>> /etc/snort/rules/local.rules > > >>> > > >>> drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Spam mail"; > > >>> content:"abcdefg"; > > >>> nocase; flow:to_server,established; classtype:misc-activity; rev:1 ;) > > >>> > > >>> (Note: the actual rule is one line) > > >>> > > >>> When I send a message with the text "abcdefg" I see the dropped > > >>> packet > > >>> in /var/log/snort/alerts. The message though still gets sent with the > > >>> "abcdefg" text in the message body. Messages with the "abcdefg" > > >>> content > > >>> in the body take several minutes to be sent while regular message are > > >>> sent immidiately. I am running snort_inline-2.0.0-1. The mail server > > >>> is > > >>> Sendmail 8.12.9. Does anybody know why the message is being sent? > > >>> > > >>> > > >> > > >> -----BEGIN PGP SIGNATURE----- > > >> Version: PGP 6.5.8 > > >> Comment: Made with pgp4pine 1.76 > > >> > > >> iQA/AwUBPyQgufnAyY+9KLjdEQK21wCfRycao8S8rs2VDS35AFdKGXkgxtMAn3MD > > >> Oqev0t4TH+EKCQlvvu2t8wQf > > >> =tsbl > > >> -----END PGP SIGNATURE----- > > >> > > >> > > >> > > >> > > >> ------------------------------------------------------- > > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > >> Data Reports, E-commerce, Portals, and Forums are available now. > > >> Download today and enter to win an XBOX or Visual Studio .NET. > > >> http://aspnet.click-url.com/go/psa00100003ave/ > > >> direct;at.aspnet_072303_01/01 > > >> _______________________________________________ > > >> Snort-inline-users mailing list > > >> Sno...@li... > > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >> > > > > > > > > > Brian Toovey > > > Zion Network Security > > > 3223 NE 40th St > > > Ft Lauderdale, FL 33308 > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > > Data Reports, E-commerce, Portals, and Forums are available now. > > > Download today and enter to win an XBOX or Visual Studio .NET. > > > http://aspnet.click-url.com/go/psa00100003ave/ > > > direct;at.aspnet_072303_01/01 > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > Data Reports, E-commerce, Portals, and Forums are available now. > > Download today and enter to win an XBOX or Visual Studio .NET. > > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > -- > Pieter Claassen > CounterSnipe Technologies > www.countersnipe.com > > > Highview House > Charles Square > Bracknell > Berskhire > RG12 1DF > > > Tel: +44(0) 1344 390 530 > Fax: +44(0) 1344 390 700 > Mobile: +44 (0) 776 6656 924 > email: pi...@co... -- Pieter Claassen CounterSnipe Technologies www.countersnipe.com Highview House Charles Square Bracknell Berskhire RG12 1DF Tel: +44(0) 1344 390 530 Fax: +44(0) 1344 390 700 Mobile: +44 (0) 776 6656 924 email: pi...@co... |