A Throughput Analysis of Snort and pfSense 1.2.3
-
The following is a basic throughput analysis of pfSense 1.2.3 running Snort.
System:
Dell Optiplex 745 SFF
Core2Quad 6600
Intel PRO/1000 MT Dual Port Server Adapter
3 GB RAM
pfSense 1.2.3
Snort updated with ET rules running in AC mode
100 mbit full duplex ethernet, low latency internet connectionRunning IPerf v1.70 client on a machine on the LAN side of the router sending UDP packets to a machine on the WAN side of the router the following rates were sustained:
35.34 Mbps @ 81.55 kpps (load 2.05, snort enabled, polling disabled)
39.02 Mbps @ 90.29 kpps (load 1.02, snort disabled, polling disabled)
46.95 Mbps @ 108.68 kpps (load 0.97, snort disabled, polling enabled)
40.60 Mbpps @ 93.97 kpps (load 2.00, snort enabled, polling enabled)The following arguments were used for IPerf:
iperf -c SERVER_IP -u -l 12B -i 5 -b 100M -t 999999999999The test was run for 5 minutes for each experiment
Rates were obtained from RRD graphs using the 1 minute average data in the pfSense webgui
12 byte UDP packets were generated using IPerf, with padding the packets were 57 bytes through the pfSense router
It can be inferred that a quad core CPU is most suitable for pfSense installations running Snort as snort is single threaded, outbound traffic is queued to a single cpu, inbound traffic is queued to a single cpu, and the webserver/php can be queued on a single cpu.
-
Thank you….
If your willing to test a bit more.
there is code in snort.inc commented out called "Red Devil".
Try to invoke those options and play with the settings to see if you can get improvements.
James