Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A Throughput Analysis of Snort and pfSense 1.2.3

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccb056
      last edited by

      The following is a basic throughput analysis of pfSense 1.2.3 running Snort.

      System:
      Dell Optiplex 745 SFF
      Core2Quad 6600
      Intel PRO/1000 MT Dual Port Server Adapter
      3 GB RAM
      pfSense 1.2.3
      Snort updated with ET rules running in AC mode
      100 mbit full duplex ethernet, low latency internet connection

      Running IPerf v1.70 client on a machine on the LAN side of the router sending UDP packets to a machine on the WAN side of the router the following rates were sustained:

      35.34 Mbps @ 81.55 kpps (load 2.05, snort enabled, polling disabled)
      39.02 Mbps @ 90.29 kpps (load 1.02, snort disabled, polling disabled)
      46.95 Mbps @ 108.68 kpps (load 0.97, snort disabled, polling enabled)
      40.60 Mbpps @ 93.97 kpps (load 2.00, snort enabled, polling enabled)

      The following arguments were used for IPerf:

      
iperf -c SERVER_IP -u -l 12B -i 5 -b 100M -t 999999999999

      The test was run for 5 minutes for each experiment
      Rates were obtained from RRD graphs using the 1 minute average data in the pfSense webgui
      12 byte UDP packets were generated using IPerf, with padding the packets were 57 bytes through the pfSense router
      It can be inferred that a quad core CPU is most suitable for pfSense installations running Snort as snort is single threaded, outbound traffic is queued to a single cpu, inbound traffic is queued to a single cpu, and the webserver/php can be queued on a single cpu.

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean
        last edited by

        Thank you….

        If your willing to test a bit more.

        there is code in snort.inc commented out called "Red Devil".

        Try to invoke those options and play with the settings to see if you can get improvements.

        James

        1 Reply Last reply Reply Quote 0
        • First post
          Last post