Snort performance via bfp filters on +20gbps network traffic

[Txalin <txalin () gmail com>]

Hi all,

Right now we are migrating our network to a new environment, and as a part
of the snort migration, we have several dubts regarding snort capabilities.

The idea is, one central firewall, where all the traffic will pass through
(user network, dmz, datacenter, etc...), will duplicate the traffic via tap
and send it to a snort vlan. And our idea is, via bfp filters, to split the
traffic to several snorts (so, "dmz snort" will sniff only traffic from dmz
network ranges, etc...)

My question is: The expected traffic is arround 20 Gbps, and even if we
make bfp filters, all the duplicated traffic will reach to each snort, so,
is snort capable of handling, via bfp filters, all this traffic or will it
start dropping packets due to interface usage before bfp filters gets
applied?

Is there other way to handle such amount of traffic with other snort design?

Note: We will use the pf_ring driver in order to achieve

Kind regards.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!