[Snort-users] load balancing snort/IDS

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 12:51:47 EDT 2000

A little bit off topic but I wanted to know if anyone has any experience in
load balancing NIDS on heavy trafficked lines like a congested 100Mbit or
even a gigabit line.

I have thought about doing some balancing with layer7 switches. There are
several available like Alteon (preferable for us), Foundry and Arrowpoint.
Also there is a company called Top Level that markets a layer7 switch as a
IDS load balancer, anyone tried that one?

Some of the questions that will undoubtedly arise are...

How do I balance the traffic? In real life and also how would I really want
it balanced?
Would I prefer to have one machine taking care of all HTTP, another taking
SMTP and another taking another protcol and so on or would I prefer to
divide the traffic in destination or source adresses or maybe some other
load balancing algorithm.
How would I solve things like scans and DoS attacks that use multiple
source/destination adressses and several ports?

Could I cluster snort (or another IDS) for more CPU power and do the
analysis in full cluster processes? Because if I got everything right its
mainly CPU that we are short of for analysis.

In a cluster solution, would I want more than one machine actually listening
on the wire?
Would it be an option to let every machine sniff all the traffic (tcpdump
style) and then just do the rules matching/detection on separate segments of
it and combine the results?
Or would I prefer that one machine gathers all the data and distributes to
the separate machines for analysis of their small chosen portion.

Have you put any thought into the - present or future - snort development
for distributed analysis?

I wouldn´t personally mind a little bit more delay in the alert/response
phase if it meant I could do higher bandwidths ;)


More information about the Snort-users mailing list