Performance evaluation comparison of Snort NIDS under Linux and Windows Server

摘要

In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two popular platforms of Linux and Windows 2003 Server. Snort's performance is measured when subjecting a PC host running Snort to both normal and malicious traffic, and with different traffic load conditions. Snort's performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get better insight into the behavior of Snort, we also measure the packet loss encountered at the kernel level. In addition, we identify key system parameters (for both Linux and Windows) that provide a fine-grained control over the percentage of the CPU bandwidth allocated to Snort application and can consequently impact its performance. We investigate such an impact, and determine the most appropriate values to improve and optimize Snort's performance. Specifically, for Windows we investigate the impact of customizing the Processor Scheduling configuration option; and for Linux, we investigate the impact of tuning the Budget configurable parameter used in the Linux kernel's packet reception mechanism.