[Snort-users] Snort as Gigabit Sensor

Jeff jcoppock1 at ...5068...
Thu Jul 24 15:29:12 EDT 2003

Banniza Robert, 2003-Jul-24 13:43 -0500:
> Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
> sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703
> Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We
> have set up a span port so that we can see all traffic on a Cisco 6509. The
> sad thing is we are encountering 40% packet loss. The network interfaces
> were statically compiled into the kernel and /etc/sysctl.conf was modified
> with the following to provide larger buffers:

Some other posts to this thread talk about getting the max performance
out of a single system, up to 300-500Mbps.  To get a full Gig (well
700Mbps or so anyway) of IDS traffic you'll need to load balance a
server farm.  Check out the Nortel Alteon Web Switches which have IDS
Load Balancing.  You can configure multiple IDS groups, each group is
a farm of servers.  The load balancing will balance the load by
session, sending each server different packets but keeping the packets
from the same session on the same server.


Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

More information about the Snort-users mailing list