[Snort-users] Snort on a parallel machine?

Frank Knobbe FKnobbe at ...649...
Mon Mar 19 13:22:42 EST 2001

Hash: SHA1

> -----Original Message-----
> From: John Kiehnle [mailto:john at ...1477...]
> Sent: Monday, March 19, 2001 12:34 PM
> Someone else is peeling my exact question... right to the 
> core. Over the next
> several years as bigger pipes, wireless networks, 64bit 
> busses, greater
> automation and new tools are developed to exploit 
> vulnerabilities, It seems we
> are eventually going to arrive at that critical mass where a 
> single processor
> snort IDS will not do the job. Things like Statistical Packet
> Anomaly Detection, and their corresponding correlation engines, 
> (thank you brothers in
> arms at Silicon Defense) will put even our beefy snort boxes 
> on their knees.
> Some packet flood tools already seem to be able to overwhelm 
> some "other"
> vendor IDSs. ; )
> My questions are;
> is there any "parallelness" inherent in the snort IDS which 
> lends itself to
> being re-tooled to take advantage of a parallel machine? 
> Is there any reason for anyone to be thinking about this project
> yet?  

You can use the BPF filters. Depending on your network infrastructure
and bandwidth and such, you might be better off if you let hardware
distribute traffic to your multiple snort sensors. Toplayer makes a
nice switch geared for this purpose that take for example a 1 GB
stream and distributes it across ten 100 MB segments. 

So if we can't scale IDS technologies up (more CPU power), we surely
can scale them out (adding more sensors)...


Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-users mailing list