Snort Test Results

Running Snort on Linux

Platform
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.5

Hardware configuration

  • Model: Supermicro (X8DTH)
  • CPU(s): 2 × Intel(R) Xeon(R) CPU X5550 @ 2.67 GHz
  • Number of CPU cores: 2 × 4 × hyper-threading = 16
  • NUMA Nodes: 2
  • RAM: 12 GB @ 1333 MHz

OS configuration

  • Distribution: CentOS 6.3 64-bit
  • Kernel: 2.6.32-279.5.1.el6.x86_64

Snort configuration

  • Snort version 2.9.3.1
  • Snort rules set: snortrules-snapshot-2930.tar.gz
  • All logging disabled (-K none)

Traffic used in the tests

  • Non-malicious traffic
  • Number of frames: 50341 repeated 5000 times = 251705000 in total
  • Frame size distribution as shown in this figure, which is a screen capture from the monitoring tool:
    RX RMDN1 counters screen showing frame size distribution

Test results

This table shows the percentage of packets processed depending on the number of Snort instances and the input data rate. The last column shows the cut-off rate at which Snort starts to lose packets.

Packets Processed (%)
  1 Gbps 2 Gbps 3 Gbps 4 Gbps 5 Gbps 6 Gbps 7 Gbps 8 Gbps 9 Gbps 10 Gbps 20 Gbps Cut-off rate
NT20E2
16 Snort instances 100,00 100,00 100,00 88,67 70,37 58,74 49,59 43,34 37,80 34,49 29,74 3.100 Mbps
12 Snort instances 100,00 100,00 98,07 84,11 70,08 58,26 49,44 42,85 37,99 33,10 25,30 2.900 Mbps
8 Snort instances 100,00 100,00 91,49 79,48 62,48 52,01 43,81 38,29 33,31 30,24 22,04 2.500 Mbps
4 Snort instances 100,00 89,30 59,44 43,37 34,05 27,40 23,41 19,87 17,45 15,87 11,17 1.800 Mbps
NT4E-4
16 Snort instances 100,00 100,00 100,00 92,88 - - - - - - - 4×800 Mbps
12 Snort instances 100,00 100,00 91,24 81,32 - - - - - - - 3×800 Mbps
8 Snort instances 100,00 100,00 86,39 74,61 - - - - - - - 3×700 Mbps
4 Snort instances 100,00 85,37 55,60 39,89 - - - - - - - 2×750 Mbps

Style Conventions

Bold typeface is used for names of, for instance, user interface elements and software components.

Italic typeface is used for replaceable text.

Monospaced typeface is used for code, commands and file names.

Abbreviations

CPU

Central Processing Unit

CRC

Cyclic Redundancy Check

DN

Document Number

IDS

Intrusion Detection System

NT

NapaTech

ntpl, NTPL

NapaTech Programming Language

NUMA

Non-Uniform Memory Access

OS

Operating System

RAM

Random-Access Memory

Rev.

REVision

RMON

Remote network MONitoring

RX

Reception/Receive

References