[Snort-users] Snort as Gigabit Sensor

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Fri Jul 25 08:55:11 EDT 2003

Sometimes need to load balance is based on hardware available..
Unfortunately it's greatly more expensive to buy a load balancer [ see:
http://www.toplayer.com/ and http://www.radware.com/ ], than it is to
simply buy a system capable of handling the gigabit load.  If a system
is configured properly, and the drivers for the network device are
configured for polling, gigabit shouldn't be a problem for a system
costing less than $3k.

Where the need for load balancing comes in, mostly for corps, is when
you have redundant or HA networks.  For example:  If you have highly
available web servers, each being connected to 2+ switches, and if those
web servers either fail over or do some sort of trunking or load
balancing, you're not always going to be able to reassemble streams
properly, as the data my be split out across multiple potential sensors.
In our dev environment we've been beta testing some of these load
balancers and have found some pretty sweet arze uses for them. Using
them to bring streams separated across devices is wonderful. Most of
these devices will allow you to take all of your input and split it out
based on a set of rules, whether it be IP, port or physical separation.
This helps greatly in separation of duties for snorts, such as pushing
all web traffic to one sensor, allowing preprocessors like rpc_decode
and the like to be turned off... and vice versa for turning of the http
decode stuff for those not getting port 80 data.  Or what about sending
all UDP to one sensor and turning off all non UDP rules.    This is
great when you have a highly controlled env... and if you have no need
for portscan2, since these types of setups can miss scans.  

As for gig capabilities:  Generally speaking, for less than most
companies charge for sensors, you could easily build one that would
handle gigabit, but you must have NIC drivers that do polling and an OS
that supports it (FreeBSD 4.5+,5; Solaris 8,9; etc..).

For load balancing:  Many people in the corporate world have need for
load balancing, but their reason isn't a 3-500Mbps limit... it's often
the 1Gbps limit and/or an HA-redundant network setup.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...] 
Sent: Thursday, July 24, 2003 7:06 PM
To: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Snort as Gigabit Sensor

Jeff wrote:

>Some other posts to this thread talk about getting the max performance
>out of a single system, up to 300-500Mbps.  To get a full Gig (well
>700Mbps or so anyway) of IDS traffic you'll need to load balance a
>server farm.  Check out the Nortel Alteon Web Switches which have IDS

Can I just ask a naive question? Needing to load balance is only due to 
the sites requiring PCI-based IDS isn't it? I mean, there are Gb IDS out

there - they wouldn't need load balancers would they?

Pretty scary: Gb Ethernet isn't exactly cutting edge these days - being 
required to go over to load balancers must really change the budget 

[so sayeth the lucky 100M-max Snort user ;-)]


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list