Improving snort performance under linux

Network intrusion detection systems (NIDS) have become vital components in securing today´s computer networks. To be highly effective, NIDS must perform packet inspection of incoming traffic at or near wire speed. Failing to do so will allow malicious packets to sneak through the network undetected, and thus jeopardising network security. Snort is one of the most popular IDS and intrusion prevention system (IPS) applications. Snort is a publicly available open-source NIDS application that typically runs on Linux. In this study, the authors present and discuss the essential software components of Snort and its underlying Linux support architecture. The authors characterise Snort execution and present an analytical queuing model to give insight into understanding the kernel and Snort behaviour as well as to identify key-dominating factors that strongly influence and impact Snort performance. The authors demonstrate that the current default configurations of the packet reception mechanism of the Linux networking subsystem (a.k.a. NAPI) are not suitable for Snort performance and show that the performance of Snort can be improved significantly by tuning certain configuration parameters, specifically by having a small NAPI budge value of 2. The performance is measured in terms of throughput and packet loss. The authors also measure the packet loss encountered at the kernel level as well as the interrupt rate of incoming traffic. Performance was measured when subjecting a PC host running Snort to both normal and malicious traffic, and with different traffic load conditions.