Re: [Snort-inline-users] Performance question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Dave Remien wrote:

A little more "filler", because apparently I'm not fully awake....

> Sounds like you're using a Core 2 Duo?

Or Quadro?

> 
> Are you using snort_inline with ipq or with nfq?

ipq is a little more efficient, nfq lets you run multiple copies of 
snort to take advantage of more CPUSs.

> 
> Our experience has been that stream reassembly uses about 10% more CPU 
> than without. After that, the traffic mix, preprocessors turned on and 
> snort ruleset can cause traffic to vary by up to a factor of 6. THe 
> worst case is all http. A single instance of snort, running on a Core 2 
> Duo, with a normal ruleset,

i.e., 3000-400 current rules, the stock snort preprocessors turned on, 
and with stream reassembly on,

  all high port traffic from a traffic
> generator (iperf), should run around 400-500 Mbits/sec. The switch to 
> all http traffic 

with the http: prepocessor enabled

will drop the throughput to less than a third of that.

Using stick or snot, or something else designed to get snort to alert on 
every packet will take overall throughput down to maybe 10 Mbits/sec.

> NICs and iptables rules are also part of the throughput issue - some 
> NICs use way more CPU tha others, and complicated iptables rules can 
> slow things down. Oh, and correctly tuning the box makes a big 
> difference. Running two instances of snort can help, until you run out 
> of CPU.
> 
> Victor's performance analysis is a good starting point.

Cheers,

Dave

This e-mail message and any attachments contain information that is confidential and may be privileged.  If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them.  Thank you.