Performance evaluation comparison of Snort NIDS under Linux and Windows Server

Authors:
K. Salah;A. Kahtani
Affiliations:
Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, P.O. Box 5066, Dhahran 31261, Saudi Arabia;Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, P.O. Box 5066, Dhahran 31261, Saudi Arabia
Venue:
Journal of Network and Computer Applications
Year:
2010

Citing 10
Cited 3

Configurable string matching hardware for speeding up intrusion detection

ACM SIGARCH Computer Architecture News - Special issue: Workshop on architectural support for security and anti-virus (WASSA)
High-throughput linked-pattern matching for intrusion detection systems

Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
Packet pre-filtering for network intrusion detection

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
The performance analysis of linux networking - Packet receiving

Computer Communications
nCap: wire-speed packet capture and transmission

E2EMON '05 Proceedings of the End-to-End Monitoring Techniques and Services on 2005. Workshop
Beyond softnet

ALS '01 Proceedings of the 5th annual Linux Showcase & Conference - Volume 5
Optimization of pattern matching algorithm for memory based architecture

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Compiling PCRE to FPGA for accelerating SNORT IDS

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Deep network packet filter design for reconfigurable devices

ACM Transactions on Embedded Computing Systems (TECS)
Performance considerations in designing network interfaces

IEEE Journal on Selected Areas in Communications

Review: Intrusion detection system: A comprehensive review

Journal of Network and Computer Applications
Performance of IP-forwarding of Linux hosts with multiple network interfaces

Journal of Network and Computer Applications
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two popular platforms of Linux and Windows 2003 Server. Snort's performance is measured when subjecting a PC host running Snort to both normal and malicious traffic, and with different traffic load conditions. Snort's performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get better insight into the behavior of Snort, we also measure the packet loss encountered at the kernel level. In addition, we identify key system parameters (for both Linux and Windows) that provide a fine-grained control over the percentage of the CPU bandwidth allocated to Snort application and can consequently impact its performance. We investigate such an impact, and determine the most appropriate values to improve and optimize Snort's performance. Specifically, for Windows we investigate the impact of customizing the Processor Scheduling configuration option; and for Linux, we investigate the impact of tuning the Budget configurable parameter used in the Linux kernel's packet reception mechanism.