[Snort-devel] SourceFire Appliance 3D9900 capabilities

Joel Esler jesler at ...402...
Thu Apr 14 12:04:01 EDT 2011


Traffic going through any system is dependent upon the type of traffic going
through it and the amount of detection being applied.  Sourcefire's system
can auto-tune this detection, however, further testing results should be
coming out soon.

On Thu, Apr 14, 2011 at 7:40 AM, d a <xstoneheartx at ...398...> wrote:

> Dose anybody know, how many enabled rules are supported with SourceFire
> Appliance 3D9900 on 10 gbps traffic rate?
>
> ------------------------------
> *From:* Martin Holste <mcholste at ...2499...>
> *To:* d a <xstoneheartx at ...398...>
> *Cc:* Nigel Houghton <nhoughton at ...402...>;
> snort-devel at lists.sourceforge.net
> *Sent:* Sat, April 9, 2011 8:30:13 AM
> *Subject:* Re: [Snort-devel] using snort for 10Gbps traffic rate
>
> My rule of thumb thus far has been that on commodity hardware with
> PF_RING, you can run 1000 signatures per 500 Mb/sec of traffic per
> Snort instance before you start dropping packets.  You want to run
> 20x500, so I would think that a single Snort instance could run 50
> signatures at 10 gig.  However, you're definitely going to need
> PF_RING or TNAPI and a recent network card, or better yet a 10 gig
> Endace DAG card to process packet headers at 10 gig.  Also,
> preprocessors will take a heavy toll; I cannot vouch for a Snort
> process running even zero rules with all preprocessors turned on to
> perform at 10 gig with no drops.  If anyone on the list has
> successfully run a single Snort instance against a full 10 gig
> line-speed of real-world traffic, I'd like to hear it.  Many run at
> the 1-3 Gb/sec range, but few run at full 10 gig line-speed.
>
> Something to consider: the PF_RING DAQ module allows multiple Snort
> processes to load balance the traffic so that you can have a cluster
> of Snort instances on a single machine.  DAG cards allow a similar
> load-balancing to occur.
>
> On Fri, Apr 8, 2011 at 10:39 PM, d a <xstoneheartx at ...398...> wrote:
> > Hi,
> >
> > Can the snort2-9 package be used for protecting 10Gbps traffic rate
> without
> > need to use parallel snort sensors and breaking (splitting) traffic
> between
> > them? Can a single snort engine handle this rate? If yes, so still with
> the
> > assumption of no limitation in hardware and simplest configuration, how
> many
> > rules approximately can be enabled to handle this rate with acceptable
> > packet drops rate, acceptable CPU usage,…?
> >
> > The reason that I insist on this topic is because what I found in
> documents
> > and papers about snort performance and its supported rate, all were about
> > less that 1Gbps and there were some solutions to develop a hardware
> > accelerator for it to support 10Gbps rate.
> >
> >
> >
> > Thank you very much for your helps.
> >
> > ________________________________
> > From: Nigel Houghton <nhoughton at ...402...>
> > To: d a <xstoneheartx at ...398...>
> > Cc: matan monitz <mmonitz at ...2499...>; snort-devel at lists.sourceforge.net
> > Sent: Tue, April 5, 2011 7:49:53 PM
> > Subject: Re: [Snort-devel] using snort for an IDS/IPS appliance
> >
> > On Tue, 5 Apr 2011 07:37:38 -0700 (PDT), d a wrote:
> >> I know that sourcefire has a product for this purpose but that is a
> >> commercial product while what we want to do is not a commercial
> >> project it's an experimental and research project and as far as I
> >> know sourcefire is using another generation of snort (3D) for their
> >> appliance not exclusively snort2-9  software.
> >
> > The Snort that is on a Sourcefire appliance is the same Snort that you
> > can download from snort.org. There is no "special Snort".
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT Department of Intelligence Excellence
> > http://vrt-blog.snort.org/ && http://labs.snort.org/
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Xperia(TM) PLAY
> > It's a major breakthrough. An authentic gaming
> > smartphone on the nation's most reliable network.
> > And it wants your games.
> > http://p.sf.net/sfu/verizon-sfdev
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110414/9190387d/attachment.html>


More information about the Snort-devel mailing list