[Snort-users] thoughts on load balancing snort boxen for high traffic links

Erik Engberg Erik.Engberg at ...511...
Tue Mar 20 10:48:26 EST 2001


(This has been up on the list before, hasn´t it?)

Anyway,

I have done tests of this with the TopLayer switch and it works great, even
loadbalancing 3-4 snorts and 3-4 [other IDS] for redundant detection.

If you want an alternative, Alteon layer-7 switches works just fine as well
(even better?), although they are not fully stateful and has a built in
stateful firewall as the TopLayer, they are a lot faster (more stable?) and
can handle a lot more load and work great for IDS load balancing. They may
be cheaper as well... Although the Toplayer switch has a lot more
luserfriendly windoze gui interface.

I would recommend the Toplayer product to most people and Alteon to the
high-demand pro´s.

/Erik



>-----Original Message-----
>From: diphen at ...108... [mailto:diphen at ...108...]
>Sent: den 19 mars 2001 23:48
>To: Austad, Jay
>Cc: 'snort-users at lists.sourceforge.net'
>Subject: Re: [Snort-users] thoughts on load balancing snort boxen for
>high traffic links
>
>
>I asked Marty this question a while back - his recommendation 
>was to use
>TopLayer switches and balance between a few different boxes.
>
>-g
>
>On Mon, Mar 19, 2001 at 01:26:35PM -0600, Austad, Jay wrote:
>> I originally sent this message to another list of people, 
>but I think maybe
>> it's a good thing to post it here also:
>> 
>> Ok, so I was thinking more on load balancing snort boxes for 
>high traffic
>> links, and here's one idea I had, let me know if this sounds 
>like it may
>> work:
>> 
>> Say I have one box that sits and runs the following command:
>> tcpdump -i eth1 -<some_options> | ./splitter -b 10M -h
>> 10.1.1.1:9999,10.1.1.2:9999,10.1.1.3:9999 &
>> 
>> Where the program "splitter" takes the tcpdump output as 
>stdin, fills a
>> buffer of size specified by the -b option, and then flushes 
>the buffer
>> (UDP?) to the first host listed in the -h option, the next 
>fill/flush will
>> go to the second host, and so on.
>> 
>> Each snort box has it's snort.conf set up to log to the same central
>> database, has a named pipe (mkfifo /dev/snortpipe), and runs 
>something like:
>> 
>> nc -l -p 9999 -u > /dev/snortpipe &
>> snort -<some_options> -r /dev/snortpipe &
>> 
>> I couldn't get snort to take stdin, hence the creation of 
>the named pipe.
>> The splitter program will most likely have to have multiple 
>threads running
>> so that when one is flushing the buffer, the next one can be 
>filling another
>> one so there is no interruption in collection of data.  As 
>my 3 snort boxes
>> start running out of resources because of growing traffic, I 
>can just add
>> another.  Obviously, you're probably going to hose some of 
>the fragment
>> reassembly, but it shouldn't be too bad if your buffer size 
>specified in the
>> splitter program is large enough.  
>> 
>> Unless snort gets more efficient or takes advantage of 
>multiple procs, or
>> until we have 4Ghz proccessors, I don't see how I'm going to 
>sniff links
>> that sustain any more than 20Mbit/sec worth of traffic.  Thoughts??
>> 
>> 
>> ---------- 
>> Jay Austad 
>> Network Administrator 
>> CBS Marketwatch 
>> 612.817.1271 
>> austad at ...432... <mailto:austad at ...432...>  
>> http://cbs.marketwatch.com 
>> http://www.bigcharts.com 
>> 
>> ---------- 
>> Jay Austad 
>> Network Administrator 
>> CBS Marketwatch 
>> 612.817.1271 
>> austad at ...432... <mailto:austad at ...432...>  
>> http://cbs.marketwatch.com 
>> http://www.bigcharts.com 
>> 
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> http://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list