Snort mailing list archives

Re: Snort and high performance networks

From: Jeff Coppock <jcoppock1 () comcast net>
Date: Fri, 21 May 2004 10:04:22 -0700

On Thu, 20 May 2004 11:13:05 -0400
Christopher Rapier <rapier () psc edu> wrote:

We have a number of networks coming into out facility that I'm 
interested in monitoring with snort. The problem is that these
networks are big. Really big. One of them is 30GBits (3 lambdas over
dwdm). The smaller ones are OC48, 802.11ad bonded GigE, and so forth.
My question is how much (in whatever terms you wish to use) can snort
be reasonably expected to handle?

If anyone can point me to resources related to snort/bro/whatever in 
high performance networks I'd sure appreciate it.

Chris


I've seen it recommended on this list that for high-speed needs, the
Sourcefire appliance, which is based on the Snort code, is best.  If you
really want to build your own system, you'll need to build it not only
for high-speed networking (Gigabit NIC) but high-speed bus/cpu/disks as
well.  I can't make any recommendations there, sorry.

As for handling the likes of a 30Gbps link, I think server
load-balancing is your best bet.  However, you'll still need to funnel
the link down to around 500Mbps-1Gbps per IDS server.  Perhaps your
DWDM switch can mirror the 30Gb link into three 10GE links (per lambda?)
which can connect to a big Ethernet switch with three 10GE ports, which
then can mirror to 30 GigE ports.  Then you could use something like a
Nortel Alteon 2000 series load-balancing switch to take a few of these
GigE connections and load-balance to a big enough farm for all the
traffic.

You have an interesting challenge ahead of you.  Good luck.

jc

-- 
Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and high performance networks Christopher Rapier (May 20)
- R: Snort and high performance networks Fausto Marzi (May 20)
- Re: Snort and high performance networks Jeff Coppock (May 21)
- <Possible follow-ups>
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
  - Re: Snort and high performance networks Christopher Rapier (May 20)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
  - Re: Snort and high performance networks Chris Rapier (May 20)
  - RE: Snort and high performance networks Rafael Ortega (Jun 01)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
- RE: Snort and high performance networks Rafael Ortega (May 21)
  - Re: Snort and high performance networks Jason Haar (May 23)
- RE: Snort and high performance networks snort user (May 21)
  - Re: Snort and high performance networks Christopher Rapier (May 21)

(Thread continues...)