Re: SNORT Testing

sshamay@xxxxxxxxxxxxxxxx wrote:
We are doing some performance tests on “snort” .

Good luck !

The tests are focused on measuring the throughput rates of snort under different mixture of traffic (good traffic + a percentage of malicious traffic)

"I have no idea which is a good performance measure for an IDS, but I
have an exact idea which ISN'T the right one: packets per second".

I am citing from memory, so I might be wrong, but this is a famous quote
by Marcus Ranum, which I wholeheartedly adhere to.

I need your help, how should be the test environment, which tools to use etc.

You can see some tinkering on the matter from my presentation at Black
Hat Federal:

Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
E-mail: zanero@xxxxxxxxxxxxxx

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Relevant Pages

  • Re: Recent anti-NIDS Gartner article
    ... packets and throughput of traffic is not suffered by IDS. ... Some reasons why I feel Inline IDSes don't require expensive ... if the packets come out of order (people ... then tap IDS does not even know and packets ...
  • Re: Test scripts for NIDS
    ... If you're using tcpreplay for performance testing, ... >> packets and they are being dropped? ... > the IDS catches everything. ... > increasing speeds until the IDS output changes (usually by failing to detect ...
  • RE: session logging IDS
    ... you to go back up to the beginning of the buffer to get some previous history. ... Subject: session logging IDS ... saying you can go back and review packets previous from when the sniffer was ...
  • Re: Signature and Traffic generation
    ... Make sure that you're not only generating "signatures" but that they are ... Many of the low-end packet grepping IDS fall prey to this ... They're doing real sessions ... You may want to just capture packets from a live network under varying ...
  • RE: GB IDS solutions
    ... Just a comment on "Gigabit" IDS... ... whether the packets are part of valid TCP/IP/UDP transactions ... This test is the equivalent of a car-maker saying their car goes ...