Snort mailing list archives
Re: GIG IDS
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 12 Sep 2006 10:48:06 -0400
Snort's not hard limited anywhere but there's more to building a gigabit IDS than just putting it on a fast box. Drivers, OS configuration, proper hardware selection and careful performance tuning are all required. You can do it with just open source software and off the shelf Dell/whatever gear if you're willing to write your own drivers for the specific NICs you're using or buying something like Endace cards, but even with that you've only solved the sensing side of the problem. There's also the sensor management, data management and analysis/reporting that makes the IDS useful to the users, and some of that stuff is extremely non-trivial to build.
People can do the math themselves and figure out where the time/ convenience/money tradeoff for their organization lies, but building a gigabit (high packet per second) IDS is still pretty tough even on today's systems.
-Marty
On Sep 12, 2006, at 9:41 AM, Donofrio, Lewis wrote:
This can be monitored with the open source version as well, just without the "pollish" - unless the open sorce version is hard limited somewhere?--comments always welcomed. ______________________________________________________________________ Lewis Donofrio () umich edu Cell: (734) 323-8776 ----- Original Message -----From: snort-users-bounces () lists sourceforge net <snort-users- bounces () lists sourceforge net>To: Marc Appelbaum <marc.appelbaum () gmail com>Cc: snort-users () lists sourceforge net <snort- users () lists sourceforge net>Sent: Tue Sep 12 09:28:07 2006 Subject: Re: [Snort-users] GIG IDS Marc,Thanks for writing. You may want to look into Sourcefire Commercially. We have machines that achieve those speeds easily. :)JoelOn Tue, Sep 12, 2006 at 08:23:45AM -0400, Marc Appelbaum apparently sent me:> > I'm looking for any insight into successful gigabyte Snort> deployments. My network is huge multi-gigabyte environment. Most of > the connections to my firewalls are gig. My Intenet connections are> mostly dual OC-12s. > I'm thinking about using a high end Linux with say Red Hat 4 or > FreeBSD with at least 4 GB RAM with a Dual Core Intel CPU. > Any advice is very welcome. > --Marc> ---------------------------------------------------------------------- --- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642> _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users+--------------------------------------------------------------------- +joel esler senior security consultant 1-706-627-2101Sourcefire Security for the /Real/ World -- http:// www.sourcefire.comSnort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj+--------------------------------------------------------------------- +---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ _________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
Attachment:
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- GIG IDS Marc Appelbaum (Sep 12)
- Re: GIG IDS Joel Esler (Sep 12)
- <Possible follow-ups>
- Re: GIG IDS Michael Scheidell (Sep 12)
- Re: GIG IDS Matt Jonkman (Sep 12)
- Re: GIG IDS Donofrio, Lewis (Sep 12)
- Re: GIG IDS Martin Roesch (Sep 12)