Re: Handling of a 1 or 2 GB pipe?

[twig les <twigles () yahoo com>]

Wow.  The best hardware IMO is Sun, but that kid of
setup will run you a couple hundred grand at least. 
Try Supermicro's page.  They build some mean i386
servers for about 1/10 the price of Sun.  Plus they
use well-known hardware (like Adaptec SCSI
controllers) so using FreeBSD won't likely be a
problem :).  I'm something of a FreeBSD zealot so I
won't even seriously suggest any OS (avoiding penalty
drinks for starting an OS holy war).  Don't forget the
PC Weasel if you require a console port on that i386
box and are willing to cough up $350.

Other than that, I would (and do) run multiple
instances of snort to distribute the signatures. 
Check the docs to divide the sigs up among sets.  This
wasn't an issue in the 1.8.x line but will undoubtedly
be something to consider in 2.x.  Non-local logging
helps of course.

I'm curious as to how you expect to get up to the full
theoretical limit though.  In fact so many factors
could bottleneck, yet each seems to be advancing, that
I'm not sure what the slowdown would be anymore (disk
I/O, RAM speed, CPU, PCI/FSB bus, NIC ...).  Although
splitting up the 1.5Gbps across 2 boxes would mean
much less strain.


--- "Travis S." <security () starfieldsw com> wrote:
> Snort-Users,
>
> I am considering using Snort to monitor traffic on a
> 1 Gbps internet link, so the combined throughput of
> the monitored traffic would be 2 Gbps.  The average
> load is 1 Gbps (combined) and it wouldn't be
> surprising to see constant levels of above 1.5 Gbps.
>  The most likely implementation will involve
> mirroring a switch port to receive the data.  The
> network is over 60 subnets, with 50,000+ hosts.
>
> How well would Snort handle reviewing packets of
> such a link?  I basically want to pick apart packets
> and examine a few key bytes to determine the
> application that is used to send the data.  I'm not
> sure if it's possible to do this on-the-fly, or if
> it would be better to log the data and analyze from
> disk.
>
> Has anyone done similar things?  Any comments on
> hardware requirements?  Comments overall about the
> concept?  Operating system suggestions (and
> version?)?
>
> Thanks,
> Travis S.
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users