[Snort-users] Good Gbit card for Snorting?

Abe L. Getchell abegetchell at ...530...
Sun Nov 11 15:51:01 EST 2001


Hi Jason,

PIII 1.0Ghz, 512MB RAM, Ultra160 disk subsystem and disks, IBM
integrated 10/100 controller for OOB management NIC, and now probably an
Intel Gbit NIC for the sniffing interface.  Much the same config as
Tim's sensor.  Check out the IBM x220's.  I've found they make great
Snort sensors for a decent price... And no, I do not work for, or am
affiliated with, IBM or any of their subsidiaries. =)

While not having been able to test snort running at Gbit speeds on our
production network yet, I can say this config handles a saturated
100Mbit link with an Intel 10/100 sniffing interface quite nicely.  The
processor on the box was pretty well maxed out running with a default
set of snort rules, but when tuned for our environment, dropped
utilization dramatically.  Hopefully I'll be able to report the same
when dropping the box onto a Gbit segment here in the near future.

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: Jason Lewis [mailto:jlewis at ...2449...] 
> Sent: Sunday, November 11, 2001 5:08 PM
> To: 'Tim Sailer'; 'Abe L. Getchell'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Good Gbit card for Snorting?
> 
> 
> Could you share what the specs are on the box you are using?  
> Maybe average traffic and load on the box?
> 
> I am looking at building a couple of gig sensors and it would 
> be nice to hear what others are doing.  Thanks much.
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> 
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of 
> Tim Sailer
> Sent: Sunday, November 11, 2001 4:32 PM
> To: Abe L. Getchell
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Good Gbit card for Snorting?
> 
> 
> On Sun, Nov 11, 2001 at 03:50:18PM -0500, Abe L. Getchell wrote:
> > Greetings!
> >
> > Has anyone run into a particular Gbit card which has worked 
> well for 
> > them under Linux for Snorting?  I've searched on Google, as well as 
> > other resources, and can't really come up with anything 
> except people 
> > sharing their bad experiences doing so. =)  I tend to lean towards 
> > Intel, as I've had good experiences in the past with their 10/100 
> > cards, but I thought I'd check with ya'll to see what the 
> collective 
> > community opinion was.
> 
> We've been using the Intel in production for about 3-4 weeks 
> now with no problems at all.
> 
> Tim
> 
> --
> Tim Sailer <sailer at ...2968...>
> Manager, Cyber Security Operations
> Brookhaven National Laboratory  (631) 344-3001
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list