[Oisf-users] [Emerging-Sigs] Very interesting Suricata Performance Study

Martin Holste mcholste at gmail.com
Fri Sep 23 17:28:01 UTC 2011

I read this paper with great interest.  A few notes:

They claimed to be dropping packets at around 100 Mb/sec with tcpdump,
which means they weren't using PF_RING.  To me, this meant all of
their results were off some because either the PF_RING or AFPACKET
plugins for both Suri and Snort accelerate them considerably.  When
packet collection is no longer the bottleneck, tuning the detection
options become much more important.

Despite, this, my real-world experiences seem to basically agree with
their results, in that a single Snort instance cannot handle more than
200 Mb/sec (I would put it down around 100 Mb/sec with more than 1000
rules).  I also agree that Suri uses far more resources than Snort,
with the advantage that you don't have to do any software
load-balancing for Suri.

They relied on packet stats, which is a horribly flawed method for
their live traffic experiments.  For live traffic, you need to use
heartbeat sigs for any accurate measurement.

I wish they would've mapped out far more configuration parameters,
especially the pattern matching engines within each IDS.

On Fri, Sep 23, 2011 at 9:55 AM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> http://faculty.nps.edu/ncrowe/oldstudents/ealbin_thesis_final.htm
> A great study by Gene Albin from the Naval Postgrad school. Extremely well done Gene! Thank you
> Well worth a read, but a few interesting extracts:
> In experiment two:
> "The NPS High Performance Computing Center operates a Sun Microsystems 6048 "blade" system with 144 blades and 1152 CPU cores (Haferman, 2011). For our experiment we used one compute node composed of 48 AMD Opteron 6174 12-core processors with 125GB of RAM available"
> Holey Christ man! I'm way beyond jealous!
> Matt
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

More information about the Oisf-users mailing list