Menu
▾
▴
snort-inline-users
|
From: Adayadil T. <ada...@gm...> - 2007-06-22 01:51:41
|
Greetings. I am interested to know the performance/throughput (mbps,pps) for a snort-inline system with stream reassembly deployed inline on a network. Assuming the system (hardware) used is quite powerful (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) Any information is much appreciated. Thanks |
|
From: Will M. <wil...@gm...> - 2007-06-22 02:36:30
|
I think this greatly depends on what type of traffic you are queueing and what rule sets you have enabled. Are you experiencing slowdown? Getting lots of window scale and ooo alerts? Try tweaking wscale.... http://www.inliniac.net/blog/?p=85 Regards, Will On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: > Greetings. > > I am interested to know the performance/throughput (mbps,pps) > for a snort-inline system with stream reassembly deployed inline > on a network. > Assuming the system (hardware) used is quite powerful > (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) > > Any information is much appreciated. > > Thanks > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adayadil T. <ada...@gm...> - 2007-06-22 03:00:07
|
Thanks for the reply. I am only looking for a crude estimate. Have anyone measured performance of the snort inline ? Results of throughput tests using snort inline on -any type of system -with any ruleset and traffic profile would suffice. Thanks On 6/21/07, Will Metcalf <wil...@gm...> wrote: > I think this greatly depends on what type of traffic you are queueing > and what rule sets you have enabled. Are you experiencing slowdown? > Getting lots of window scale and ooo alerts? Try tweaking wscale.... > > http://www.inliniac.net/blog/?p=85 > > Regards, > > Will > > On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: > > Greetings. > > > > I am interested to know the performance/throughput (mbps,pps) > > for a snort-inline system with stream reassembly deployed inline > > on a network. > > Assuming the system (hardware) used is quite powerful > > (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) > > > > Any information is much appreciated. > > > > Thanks > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Eric L. <er...@in...> - 2007-06-22 05:41:47
|
Hi, Le jeudi 21 juin 2007 =E0 23:00 -0400, Adayadil Thomas a =E9crit : > Thanks for the reply. >=20 > I am only looking for a crude estimate. > Have anyone measured performance of the snort inline ? >=20 > Results of throughput tests using snort inline on > -any type of system > -with any ruleset and traffic profile > would suffice. You can have a look at the following study : http://wiki.vuurmuur.org/~victor/snort_inline_perf.pdf BR, --=20 Eric Leblond <er...@in...> INL |
|
From: Dave R. <dr...@ni...> - 2007-06-22 14:24:11
|
Adayadil Thomas wrote: > Thanks for the reply. > > I am only looking for a crude estimate. > Have anyone measured performance of the snort inline ? Sounds like you're using a Core 2 Duo? Are you using snort_inline with ipq or with nfq? Our experience has been that stream reassembly uses about 10% more CPU than without. After that, the traffic mix, preprocessors turned on and snort ruleset can cause traffic to vary by up to a factor of 6. THe worst case is all http. A single instance of snort, running on a Core 2 Duo, with a normal ruleset, all high port traffic from a traffic generator (iperf), should run around 400-500 Mbits/sec. The switch to all http traffic will drop the throughput to less than a third of that. NICs and iptables rules are also part of the throughput issue - some NICs use way more CPU tha others, and complicated iptables rules can slow things down. Oh, and correctly tuning the box makes a big difference. Running two instances of snort can help, until you run out of CPU. Victor's performance analysis is a good starting point. Cheers, Dave > > Results of throughput tests using snort inline on > -any type of system > -with any ruleset and traffic profile > would suffice. > > Thanks > > On 6/21/07, Will Metcalf <wil...@gm...> wrote: >> I think this greatly depends on what type of traffic you are queueing >> and what rule sets you have enabled. Are you experiencing slowdown? >> Getting lots of window scale and ooo alerts? Try tweaking wscale.... >> >> http://www.inliniac.net/blog/?p=85 >> >> Regards, >> >> Will >> >> On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: >>> Greetings. >>> >>> I am interested to know the performance/throughput (mbps,pps) >>> for a snort-inline system with stream reassembly deployed inline >>> on a network. >>> Assuming the system (hardware) used is quite powerful >>> (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) >>> >>> Any information is much appreciated. >>> >>> Thanks >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> Snort-inline-users mailing list >>> Sno...@li... >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. |
|
From: Dave R. <dr...@ni...> - 2007-06-22 14:34:38
|
Dave Remien wrote: A little more "filler", because apparently I'm not fully awake.... > Sounds like you're using a Core 2 Duo? Or Quadro? > > Are you using snort_inline with ipq or with nfq? ipq is a little more efficient, nfq lets you run multiple copies of snort to take advantage of more CPUSs. > > Our experience has been that stream reassembly uses about 10% more CPU > than without. After that, the traffic mix, preprocessors turned on and > snort ruleset can cause traffic to vary by up to a factor of 6. THe > worst case is all http. A single instance of snort, running on a Core 2 > Duo, with a normal ruleset, i.e., 3000-400 current rules, the stock snort preprocessors turned on, and with stream reassembly on, all high port traffic from a traffic > generator (iperf), should run around 400-500 Mbits/sec. The switch to > all http traffic with the http: prepocessor enabled will drop the throughput to less than a third of that. Using stick or snot, or something else designed to get snort to alert on every packet will take overall throughput down to maybe 10 Mbits/sec. > NICs and iptables rules are also part of the throughput issue - some > NICs use way more CPU tha others, and complicated iptables rules can > slow things down. Oh, and correctly tuning the box makes a big > difference. Running two instances of snort can help, until you run out > of CPU. > > Victor's performance analysis is a good starting point. Cheers, Dave This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X