[Snort-users] Hardware suggestions

Martin Roesch roesch at ...421...
Thu Mar 1 23:46:24 EST 2001

The only way you're going to be able to do this (200-230Mbps) with stock
Snort is with a *very* limited ruleset (like 100 rules or less) on a
very fast machine (1+ GHz, 256+ MB RAM, fast SCSI-160 HDD, OpenBSD,
limited logging and alerting).  A better bet is to go with a better
architecture, you're facing some pretty pretty big hurdles right now
with default Snort considering the fact that we're using libpcap (which
is relatively slow) on non-optimized NIC drivers/OS code.

You might be able to do better on a "better" platform.  Consider
something like an Alpha running Tru64 (with a 64-bit/66MHz PCI bus) or a
nice beefy Sparc (although I hear that DLPI is a pretty slow interface,
I don't have any benchmarks to back that up).

Once you get into the "real" gigE realm, you're out of Snort's existing
ball park.  The design limit of a 32-bit 33MHz PCI bus is 1.056 Gbps,
and that's not sustained performance either (figure 80% of max for
sustained performance).  Once you start pushing large numbers of packets
per second over the bus, you get into interrupt service routine latency
issues and you have to start thinking about modifying the NIC drivers to
reduce the number of interrupts per second they can issue and doing
things like modifying the firmware on the NIC (SysKonnect lets you do
this) to do a little prefiltering for you.  You can also try to do
things like offloading checksum calculation onto cards that support it,
but then you have to modify the OS interface to pass the information up
to userland (Snort).  What you really need to do this job properly (at
1Gbps sustained) is hardware acceleration, which doesn't really exist at
this point in a commercial product.

If you want to monitor specific things on gigE, check out the network
monitor boxes from Shomiti, they're pretty slick.

As for Dragon being able to handle true gigabit traffic on straight x86
hardware (even quad Xeons), I'd be very skeptical of those claims. 
NetworkICE is currently selling a gigE solution with similar hardware
(for $60k!) which when you read the fine print says something to the
effect of "if you have more than 300Mbps of sustained traffic, the
sensor probably won't handle it".

There are IDS accelerators on the horizon from a number of the
commercial NIDS vendors (there might even be one for Snort...) but at
this time I don't know of any that are actual shipping commercial


"Mann, Kamal (CCI-Las Vegas)" wrote:
> I have a rather silly question.  I need to monitor a rather busy network
> segment, average traffic levels in the 200-230meg range.  Currently the
> Intel machine I have monitoring this segment is missing packets extremely
> badly.  Does anybody have any ideas on what hardware & os platform might be
> able to monitor this level of activity?  The major requirement is that it be
> able to support a gig-e interface.  Thanks.
> Kamal
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list