[Snort-users] Handling of a 1 or 2 GB pipe?
edin.dizdarevic at ...7509...
Fri Jan 31 04:59:03 EST 2003
Travis S. wrote:
> I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored traffic would be 2 Gbps. The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of above 1.5 Gbps. The most likely implementation will involve mirroring a switch port to receive the data. The network is over 60 subnets, with 50,000+ hosts.
> How well would Snort handle reviewing packets of such a link? I basically want to pick apart packets and examine a few key bytes to determine the application that is used to send the data. I'm not sure if it's possible to do this on-the-fly, or if it would be better to log the data and analyze from disk.
> Has anyone done similar things? Any comments on hardware requirements? Comments overall about the concept? Operating system suggestions (and version?)?
We diskussed such problems a few weeks ago. IMHO the problem should
be to capture that amount of data. No illusions about realtime-
analyzing so much traffic. You will need to buffer it, at least to
back up the traffic peaks. Btw: No IDS available can probably
provide the performance you need.
I have a small test system at the moment, having two Intel Gbit NICs.
I will do some tests in the next few weeks. For now, my expereience
is, that what Marty is saying in the docs is pretty realistic: up
to ~80Mbit/s can be analyzed real time (with optimized settings,
I installed the ring-buffer-patched libpcap and started capturing
with tcpdump to a named pipe (or FIFO). "On the other side" I let
Snort analyzing the traffic and hey, it worked - I had no dropped
packets (Thx. Erek ;) ). Even power-scanning in the insane mode with
nmap caused no capturing problems. I will soon (try to) write an
Nessus-plugin providing an attack combined with a packet storm.
So I will soon do some tests with the Gbit NICS. That is to become
very exiting, since it should theoretically overload the PCI-bus of
my 32bit platform. But I have two Xeon machines laying around too ;)
According to some whitepapers, you can capture with libpcap up to
800Mbit/s. I'll try to test that.
So the solution may be to set up a few boxes - for every subnet and
direction one, or similar (~1GB RAM 64-bit platform, SCSI) and try to
disburden Snort/tcpdump as much you can. Decide if you really want to
analyze the outbond traffic. Define your capturing filters ($HOME_NET,
servers, ports) - capture only the stuff you really want to look at.
Than it may work for you and you have a solution the money can't buy.
Hope that helps...
> Travis S.
More information about the Snort-users