[Snort-users] Handling of a 1 or 2 GB pipe?

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri Jan 31 04:59:03 EST 2003


Travis S. wrote:
> Snort-Users,
> I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored traffic would be 2 Gbps.  The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of above 1.5 Gbps.  The most likely implementation will involve mirroring a switch port to receive the data.  The network is over 60 subnets, with 50,000+ hosts.
> How well would Snort handle reviewing packets of such a link?  I basically want to pick apart packets and examine a few key bytes to determine the application that is used to send the data.  I'm not sure if it's possible to do this on-the-fly, or if it would be better to log the data and analyze from disk.
> Has anyone done similar things?  Any comments on hardware requirements?  Comments overall about the concept?  Operating system suggestions (and version?)?

We diskussed such problems a few weeks ago. IMHO the problem should
be to capture that amount of data. No illusions about realtime-
analyzing so much traffic. You will need to buffer it, at least to
back up the traffic peaks. Btw: No IDS available can probably
provide the performance you need.

I have a small test system at the moment, having two Intel Gbit NICs.
I will do some tests in the next few weeks. For now, my expereience
is, that what Marty is saying in the docs is pretty realistic: up
to ~80Mbit/s can be analyzed real time (with optimized settings,
of course).

I installed the ring-buffer-patched libpcap and started capturing
with tcpdump to a named pipe (or FIFO). "On the other side" I let
Snort analyzing the traffic and hey, it worked - I had no dropped
packets (Thx. Erek ;) ). Even power-scanning in the insane mode with
nmap caused no capturing problems. I will soon (try to) write an
Nessus-plugin providing an attack combined with a packet storm.

So I will soon do some tests with the Gbit NICS. That is to become
very exiting, since it should theoretically overload the PCI-bus of
my 32bit platform. But I have two Xeon machines laying around too ;)

According to some whitepapers, you can capture with libpcap up to
800Mbit/s. I'll try to test that.

So the solution may be to set up a few boxes - for every subnet and
direction one, or similar (~1GB RAM 64-bit platform, SCSI) and try to
disburden Snort/tcpdump as much you can. Decide if you really want to
analyze the outbond traffic. Define your capturing filters ($HOME_NET,
servers, ports) - capture only the stuff you really want to look at.
Than it may work for you and you have a solution the money can't buy.

Hope that helps...

Best regards,


> Thanks,
> Travis S.

Edin Dizdarevic

More information about the Snort-users mailing list