Snort mailing list archives
Re: Sizing of a box requiring 2x10Gbps
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 08 Jul 2010 20:49:03 +0000
Well, not really. Just use generic servers quadcore quadprocessor servers and a napatech stream capable card (which is overkill for 4Gbit). Recombining all the alerting from multiple instances of Snort is the only pain you really run into. You can just set the output logging to unified2 and 1mb in size and have another process monitor the output directory and process it with barnyard2 file by file into a database then point your front end tools towards that.
Card:http://www.napatech.com/products/network_adapters.html (He will want the 2x10G PCIe one).
Definitely requires some care, feeding and development this route. A commercial offering should be much more plug and play.
-- Eoin On 7/7/2010 5:48 PM, Joel Ebrahimi wrote:
I agree with Esler that you will have a hard time keep up with those speeds with off the shelf hardware. Though it is possible with kernel/driver modifications and a sparse ruleset.Or you can use specialty hardware like the Bivio platform (http://www.bivio.net) .Sorry for another plug.On Wed, Jul 7, 2010 at 7:22 AM, JJC <cummingsj () gmail com <mailto:cummingsj () gmail com>> wrote:You may end up capturing the traffic and then replaying it back at a rate that you can analyze an acceptable percentage of the traffic.. say, 100% Of course you may have problems with storage and also not capturing 100% of the traffic. On Wed, Jul 7, 2010 at 5:18 AM, Joel Esler <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote: It would be very difficult to achieve those kinds of speeds without a commercial Snort appliance like Sourcefire. Sorry for the plug. -- Sent from my iPad On Jul 7, 2010, at 4:28 AM, "Sven Juergensen (KielNET)" <s.juergensen () kielnet de <mailto:s.juergensen () kielnet de>> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list, > > I'm playing with the thought of implementing an > IDS for our network. Now, for the box handling > this, a bit of advice would be appreciated. It > needs 2 10GE interfaces and would have to soak > up a throughput of about 4GBps tops. The amount > of accumulated data should last about a week. > > Does anyone know the rough specs for a box to > deal with this? > > Thanks in advance and regards, > > Mit freundlichen Gruessen, > > i. A. Sven Juergensen >
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sizing of a box requiring 2x10Gbps Sven Juergensen (KielNET) (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Joel Esler (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps JJC (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Joel Ebrahimi (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Eoin Miller (Jul 08)
- Re: Sizing of a box requiring 2x10Gbps Mike Lococo (Jul 12)
- Re: Sizing of a box requiring 2x10Gbps JJC (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Joel Esler (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Will Metcalf (Jul 07)
- Re: Sizing of a box requiring 2x10Gbps Russ Combs (Jul 08)
- Re: Sizing of a box requiring 2x10Gbps Will Metcalf (Jul 07)
- <Possible follow-ups>
- Sizing of a box requiring 2x10Gbps Sven Juergensen (KielNET) (Jul 07)