Re: [Snort-devel] Snort 2.0 high CPU load and bad alert rate with higher traffic lo ads?

Thanks for testing Snort 2.0 performance and giving us your feedback.

I just have some suggestions as you do your testing:

• I suggest reading the focus-ids mailing list archives about the different ways in which to test an intrusion detection system for performance. There's been quite a lot of discussion about the type of background traffic to generate. The forerunners in the IDS testing market try to mimic real network traffic profiles when testing performance. This especially became important after the very questionable testing methodologies that Miercom originally used (sending random traffic on one port, in their case port 0).
• Check your snort configuration file. Do you have all the performance options turned on (httpflow, detection, etc)? The configuration files will look different between snort 1.9 and snort 2.0.

The other thing to keep in mind when evaluating your test results is that both Sourcefire customers and open-source users have validated the fact the Snort 2.0 is much faster than 1.9. This isn't counting all the testing that Sourcefire has done or the verification by independent third parties. My guess is that either your snort configuration and/or background traffic may be the culprit here.

Good luck in your future testing.

Dan

On Mon, 2003-06-02 at 08:14, Obermayr Thomas wrote:
> Hiya!

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel