[Snort-users] thoughts on load balancing snort boxen for high traffic links

Austad, Jay austad at ...432...
Mon Mar 19 15:03:46 EST 2001


> I'd love to get a copy of such code, will you make it available?

Sure, when/if I write it.  :)  

> -----Original Message-----
> From: John_Delisle at ...1523... [mailto:John_Delisle at ...1523...]
> Sent: Monday, March 19, 2001 1:37 PM
> To: Austad, Jay
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] thoughts on load balancing snort boxen for
> high traffic links
> 
> 
> 
> I'd love to get a copy of such code, will you make it available?
> 
> Also, does snort show dropped packets in Linux now?
> 
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
> 204-975-5909
> 
> 
>                                                               
>                                                                      
>                     "Austad, Jay"                             
>                                                                      
>                     <austad at ...432...>             To:  
>    "'snort-users at lists.sourceforge.net'"                             
>                     Sent by:                             
> <snort-users at lists.sourceforge.net>                           
>             
>                     snort-users-admin at ...635...        cc:  
>                                                                      
>                     eforge.net                           
> Subject:     [Snort-users] thoughts on load balancing snort 
> boxen for     
>                                                          high 
> traffic links                                                        
>                                                               
>                                                                      
>                     2001/03/19 01:26 PM                       
>                                                                      
>                                                               
>                                                                      
>                                                               
>                                                                      
> 
> 
> 
> 
> I originally sent this message to another list of people, but 
> I think maybe
> it's a good thing to post it here also:
> 
> Ok, so I was thinking more on load balancing snort boxes for 
> high traffic
> links, and here's one idea I had, let me know if this sounds 
> like it may
> work:
> 
> Say I have one box that sits and runs the following command:
> tcpdump -i eth1 -<some_options> | ./splitter -b 10M -h
> 10.1.1.1:9999,10.1.1.2:9999,10.1.1.3:9999 &
> 
> Where the program "splitter" takes the tcpdump output as 
> stdin, fills a
> buffer of size specified by the -b option, and then flushes the buffer
> (UDP?) to the first host listed in the -h option, the next 
> fill/flush will
> go to the second host, and so on.
> 
> Each snort box has it's snort.conf set up to log to the same central
> database, has a named pipe (mkfifo /dev/snortpipe), and runs something
> like:
> 
> nc -l -p 9999 -u > /dev/snortpipe &
> snort -<some_options> -r /dev/snortpipe &
> 
> I couldn't get snort to take stdin, hence the creation of the 
> named pipe.
> The splitter program will most likely have to have multiple 
> threads running
> so that when one is flushing the buffer, the next one can be filling
> another
> one so there is no interruption in collection of data.  As my 
> 3 snort boxes
> start running out of resources because of growing traffic, I 
> can just add
> another.  Obviously, you're probably going to hose some of 
> the fragment
> reassembly, but it shouldn't be too bad if your buffer size 
> specified in
> the
> splitter program is large enough.
> 
> Unless snort gets more efficient or takes advantage of 
> multiple procs, or
> until we have 4Ghz proccessors, I don't see how I'm going to 
> sniff links
> that sustain any more than 20Mbit/sec worth of traffic.  Thoughts??
> 
> 
> ----------
> Jay Austad
> Network Administrator
> CBS Marketwatch
> 612.817.1271
> austad at ...432... <mailto:austad at ...432...>
> http://cbs.marketwatch.com
> http://www.bigcharts.com
> 
> ----------
> Jay Austad
> Network Administrator
> CBS Marketwatch
> 612.817.1271
> austad at ...432... <mailto:austad at ...432...>
> http://cbs.marketwatch.com
> http://www.bigcharts.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list