Performance Evaluation of Snort under Windows 7 and Windows Server 2008
Khaled Salah (Khalifa University of Science, United Arab Emirates)
Mojeeb-Al-Rhman Al-Khiaty (King Fahd University of Petroleum and Minerals, Saudi Arabia)
Rashad Ahmed (King Fahd University of Petroleum and Minerals, Saudi Arabia)
Adnan Mahdi (King Fahd University of Petroleum and Minerals, Saudi Arabia)
Abstract: Snort is the most widely deployed network intrusion detection system (NIDS) worldwide, with millions of downloads to date. PC-based Snort typically runs on either Linux or Windows operating systems. In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two newly released operating systems of Windows 7 and Windows Server 2008. Snort's performance is measured when subjecting a PC host running Snort to both normal and malicious traffic. Snort's performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get a better insight into the behaviour of Snort, we also measure the packet loss encountered at the kernel level. In addition, we study the impact of running Snort under different system configurations which include CPU scheduling priority given to user applications or kernel services, uni and multiprocessor environment, and processor affinity.
Keywords: Experimental Performance Evaluation, Snort, Windows 2008, Windows 7, network security, operating systems
Categories: C.2.0, C.2.1, C.2.3, C.2.6, C.2.m, D.4.0, D.4.6, D.4.8, D.4.9