109

urn:lsid:arphahub.com:pub:3dc5f44e-8666-58db-bc76-a455210e8891

JUCS - Journal of Universal Computer Science

jucs

0948-695X 0948-6968

Journal of Universal Computer Science

10.3217/jucs-017-11-1605

30010

Research Article

C.2.0 - General C.2.1 - Network Architecture and Design C.2.3 - Network Operations C.2.6 - Internetworking C.2.m - Miscellaneous D.4.0 - General D.4.6 - Security and Protection D.4.8 - Performance D.4.9 - Systems Programs and Utilities

Performance Evaluation of Snort under Windows 7 and Windows Server 2008

Salah

Khaled

khaled.salah@kustar.ac.ae 1 Al-Khiaty

Mojeeb-Al-Rhman

2 Ahmed

Rashad

2 Mahdi

Adnan

Khalifa University of Science, Sharjah, United Arab Emirates

Khalifa University of Science

Sharjah

United Arab Emirates 2

King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia

King Fahd University of Petroleum and Minerals

Dhahran

Saudi Arabia

Corresponding author: Khaled Salah (khaled.salah@kustar.ac.ae).

Academic editor:

2011

01 07 2011

17 11 1605 1622 8F3CC9D1-3272-57BC-914F-4D5DC3213CC5 7001745

Khaled Salah, Mojeeb-Al-Rhman Al-Khiaty, Rashad Ahmed, Adnan Mahdi

This article is freely available under the J.UCS Open Content License.

Abstract

Snort is the most widely deployed network intrusion detection system (NIDS) worldwide, with millions of downloads to date. PC-based Snort typically runs on either Linux or Windows operating systems. In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two newly released operating systems of Windows 7 and Windows Server 2008. Snort's performance is measured when subjecting a PC host running Snort to both normal and malicious traffic. Snort's performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get a better insight into the behaviour of Snort, we also measure the packet loss encountered at the kernel level. In addition, we study the impact of running Snort under different system configurations which include CPU scheduling priority given to user applications or kernel services, uni and multiprocessor environment, and processor affinity.