A Throughput Analysis of Snort and pfSense 1.2.3

  • The following is a basic throughput analysis of pfSense 1.2.3 running Snort.

    Dell Optiplex 745 SFF
    Core2Quad 6600
    Intel PRO/1000 MT Dual Port Server Adapter
    3 GB RAM
    pfSense 1.2.3
    Snort updated with ET rules running in AC mode
    100 mbit full duplex ethernet, low latency internet connection

    Running IPerf v1.70 client on a machine on the LAN side of the router sending UDP packets to a machine on the WAN side of the router the following rates were sustained:

    35.34 Mbps @ 81.55 kpps (load 2.05, snort enabled, polling disabled)
    39.02 Mbps @ 90.29 kpps (load 1.02, snort disabled, polling disabled)
    46.95 Mbps @ 108.68 kpps (load 0.97, snort disabled, polling enabled)
    40.60 Mbpps @ 93.97 kpps (load 2.00, snort enabled, polling enabled)

    The following arguments were used for IPerf:

    iperf -c SERVER_IP -u -l 12B -i 5 -b 100M -t 999999999999

    The test was run for 5 minutes for each experiment
    Rates were obtained from RRD graphs using the 1 minute average data in the pfSense webgui
    12 byte UDP packets were generated using IPerf, with padding the packets were 57 bytes through the pfSense router
    It can be inferred that a quad core CPU is most suitable for pfSense installations running Snort as snort is single threaded, outbound traffic is queued to a single cpu, inbound traffic is queued to a single cpu, and the webserver/php can be queued on a single cpu.

  • Thank you….

    If your willing to test a bit more.

    there is code in snort.inc commented out called "Red Devil".

    Try to invoke those options and play with the settings to see if you can get improvements.


Log in to reply