Snort mailing list archives
Re: Best practices for very high volume install..
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Tue, 21 Dec 2010 15:07:54 -0500
On Dec 21, 2010, at 2:20 PM, Jefferson, Shawn wrote:
All I can tell you is my past experience, and that has been that the ET rulesets kill my performance. I know that there was some performance work being done on the ET rulesets though, and maybe what you are saying is now the case.
You should definitely take a second look. And you should always tune a ruleset. ET gives you ALL the options and you cover what you need. You shouldn't let someone else decide what's important on your net. IMHO.
What I have done is run the rulesets that I *can* run without dropping packets, in what I feel is the most appropriate place to run them. It comes down to what you are protecting and the level of protection/detection you can afford (IMO).
Definitely take a second look before you decide which to run! Matt
I'm building new sensors based on 2.9 and I will try the ET rulesets out on my WAN sensor again, to see if I can run them without dropping packets. If I can, then I will, and I do suggest you run the ET ruleset if you can do so, for sure. -----Original Message----- From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, December 21, 2010 11:11 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Best practices for very high volume install.. I run both ET & VRT rulesets (not heavily pruned) and it's a toss up on performance between the two.. The top 50 worst performing rules are right about 50/50... Any rules doing lots of PCRE will kill your performance and those rules need to be looked at no matter where you get your rules. To suggest not running one of the most cutting edge rules sets out there because your hardware can't handle it doesn't sound right to me... That's like not locking your car because you don't like carrying your keys around.... -J-----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Tuesday, December 21, 2010 1:54 PM To: Joel Esler; Castle, Shane Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Best practices for very high volume install.. That's what I have found as well... snort+barnyard2, and tune the ruleset. Don't use the ET rules (or if you do, tune/prune them aggressively). On my network, I use network taps with two sensors, and run the ET ruleset on the tap that connects my network to the Internet only (bandwidth is considerably lower than on my corporate WAN links-on which I use only the Snort VRT ruleset). I'm not pushing as much data through as you are... I've seen spikes up around 400 Mb/s with no drops though, and this is somewhat older hardware. -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Monday, December 20, 2010 5:02 PM To: Castle, Shane Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Best practices for very high volume install.. Using unified2 and barnyard2 removes the output logging slowdown from Snort. It can go very very fast. Most of the speed can be found in reducing ruleset and tuning. Sent from my iPhone On Dec 20, 2010, at 6:27 PM, "Castle, Shane" <scastle () bouldercounty org> wrote:Using Barnyard? The claim is that with Barnyard2 a 10G link can be supported. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Wil Schultz [mailto:wschultz () bsdboy com] Sent: Monday, December 20, 2010 14:25 To: snort-users () lists sourceforge net Subject: [Snort-users] Best practices for very high volume install.. Hey there, have a very high traffic install (snort2.9/barnyard2) thatI'm trying to get into a good and usable position. At this point I've got a gig port that's saturated to thebox so we'regoing to do a 2g port-channel here in a bit. So far I've come to the conclusion that mysql binary logging isn't realistic, so it's been turned off. Additionally I've got a script that runs at midnight to purge alerts that are greater than 2 days old. I'm considering putting the database into RAM for a littlemore speed.Does anyone else have some other best practice typesuggestions for avery high traffic box? -wil_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best practices for very high volume install.. Wil Schultz (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Weir, Jason (Dec 21)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Crook, Parker (Dec 21)
- Re: Best practices for very high volume install.. Matthew Jonkman (Dec 21)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)