[Snort-users] Snort as Gigabit Sensor
andrew.hutchinson at ...759...
Fri Jul 25 06:41:04 EDT 2003
I have a couple of items on this:
- I'm using Intel Pro/1000F adapters with great success. The host it is
running on is a Dual PIII-850 machine w/ 256MB RAM, and sees sustained
traffic in the 50Mbit/s range all day (8-5), with peaks to the 100Mbit/s
range. I generally run < 1% packet loss, even running spp_portscan and
a fairly complete ruleset. OS is RH7.3, 2.4.18smp kernel, compiled w/
only what was absolutely necessary. NIC driver is a loadable module
though (not static).
- Jason points out that Gb Ethernet is common these days, and it is.
However, people needing true Gbit IDS are rarer (though not by any means
nonexistant - I'm sure that there are a number of people on this list
that truly need Gbit IDS). I can't count the number of times that
people told me "I need a Gigabit Firewall" or "I need a Gigabit ID
sensor", and then I graph traffic for a week and discover that they're
pushing less than 10Mbit average through the connection in question. In
one case, the group that "HAD to have a Gigabit firewall" was averaging
less than 200 kb/s through their connection. Just because the fat pipe
is there doesn't mean it's full. :-)
Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...294...]
> Sent: Thursday, July 24, 2003 7:06 PM
> To: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] Snort as Gigabit Sensor
> Jeff wrote:
> >Some other posts to this thread talk about getting the max
> >out of a single system, up to 300-500Mbps. To get a full Gig (well
> >700Mbps or so anyway) of IDS traffic you'll need to load balance a
> >server farm. Check out the Nortel Alteon Web Switches which have IDS
> Can I just ask a naive question? Needing to load balance is
> only due to
> the sites requiring PCI-based IDS isn't it? I mean, there are
> Gb IDS out
> there - they wouldn't need load balancers would they?
> Pretty scary: Gb Ethernet isn't exactly cutting edge these
> days - being
> required to go over to load balancers must really change the budget
> [so sayeth the lucky 100M-max Snort user ;-)]
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users