[Snort-users] Line aggregation (was: Snort as Gigabit Sensor)

Williams Jon WilliamsJonathan at ...2134...
Fri Jul 25 10:53:04 EDT 2003


Thanks, but my problem is more from the number of cables than from the
number of IP networks.  Since I've got 24 taps, that means I've got 48
ethernet cables that I want to monitor, but I don't want to have to buy 48
boxes and I don't have enough space in my boxes for 48 ports (each box has 2
available PCI slots, which gives me only 8 ports per box if I use quad
ethernet cards).

Right now, I've got 3 physical sensors, although I want to add a 4th to do
statistical analysis and p0f-style OS fingerprinting if I can find a way to
do it.  That means that I need a way to "funnel" the 48 input ports down to
3 output ports and then copy all of the input traffic to a 4th output for
the stat collection.  So far, I haven't found anything that can do that kind
of traffic management.

Jon

-----Original Message-----
From: Banniza Robert [mailto:Robert.Banniza at ...9244...]
Sent: Friday, July 25, 2003 11:49 AM
To: Williams Jon; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Line aggregation (was: Snort as Gigabit
Sensor)


Not sure if this will help you or not but we are using iproute2 within Linux
to allow us to sniff each of the seaprate smaller network segments.
Therefore, we only have one machine providing the sniffing capability for 13
separate networks all coming through one interface. Let me know if you need
details on this...

Robert

-----Original Message-----
From: Williams Jon [mailto:WilliamsJonathan at ...2134...]
Sent: Friday, July 25, 2003 11:24 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Line aggregation (was: Snort as Gigabit Sensor)


This brings up a related, but slightly different problem I'm trying to
figure out.  Fortunately, I'm not faced with gigabit speeds.  Instead, I've
got a whole bunch of small links that I'm tapping (somewhere around 2 dozen
taps, which means 4 dozen input interfaces needed), but I don't want to
dedicate a physical box for each link and, due to the standardized hardware
I can get here, I don't have room for dozens of 100 mbit interfaces in a
given sensor.  All together, most of the links don't add up to a combined
throughput of 100 mbit sustained.

We've looked at TopLayer, but as mentioned below, the price/port on them is
quite high, particularly since we're not doing load balancing or any of the
other advanced functionality and they've only got 12 copper ports per
device.  Does anyone make a device that allows me to arbitrarily combine the
traffic from ports together such that, for example, I could take ports 1-8
and output them to port 48, ports 9-24 and output to 47, and then copy all
of the traffic on all input ports to port 46?  Ideally, the device would
come with more than 12 copper ports, 24 would be nice, 48 would be better.

Thanks.

Jon

-----Original Message-----
From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl at ...4716...]
Sent: Friday, July 25, 2003 10:55 AM
To: Jason Haar; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort as Gigabit Sensor



Sometimes need to load balance is based on hardware available..
Unfortunately it's greatly more expensive to buy a load balancer [ see:
http://www.toplayer.com/ and http://www.radware.com/ ], than it is to
simply buy a system capable of handling the gigabit load.  If a system
is configured properly, and the drivers for the network device are
configured for polling, gigabit shouldn't be a problem for a system
costing less than $3k.

Where the need for load balancing comes in, mostly for corps, is when
you have redundant or HA networks.  For example:  If you have highly
available web servers, each being connected to 2+ switches, and if those
web servers either fail over or do some sort of trunking or load
balancing, you're not always going to be able to reassemble streams
properly, as the data my be split out across multiple potential sensors.
In our dev environment we've been beta testing some of these load
balancers and have found some pretty sweet arze uses for them. Using
them to bring streams separated across devices is wonderful. Most of
these devices will allow you to take all of your input and split it out
based on a set of rules, whether it be IP, port or physical separation.
This helps greatly in separation of duties for snorts, such as pushing
all web traffic to one sensor, allowing preprocessors like rpc_decode
and the like to be turned off... and vice versa for turning of the http
decode stuff for those not getting port 80 data.  Or what about sending
all UDP to one sensor and turning off all non UDP rules.    This is
great when you have a highly controlled env... and if you have no need
for portscan2, since these types of setups can miss scans.  

As for gig capabilities:  Generally speaking, for less than most
companies charge for sensors, you could easily build one that would
handle gigabit, but you must have NIC drivers that do polling and an OS
that supports it (FreeBSD 4.5+,5; Solaris 8,9; etc..).

For load balancing:  Many people in the corporate world have need for
load balancing, but their reason isn't a 3-500Mbps limit... it's often
the 1Gbps limit and/or an HA-redundant network setup.


-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...] 
Sent: Thursday, July 24, 2003 7:06 PM
To: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Snort as Gigabit Sensor


Jeff wrote:

>Some other posts to this thread talk about getting the max performance
>out of a single system, up to 300-500Mbps.  To get a full Gig (well
>700Mbps or so anyway) of IDS traffic you'll need to load balance a
>server farm.  Check out the Nortel Alteon Web Switches which have IDS
>

Can I just ask a naive question? Needing to load balance is only due to 
the sites requiring PCI-based IDS isn't it? I mean, there are Gb IDS out

there - they wouldn't need load balancers would they?

Pretty scary: Gb Ethernet isn't exactly cutting edge these days - being 
required to go over to load balancers must really change the budget 
requirements...

[so sayeth the lucky 100M-max Snort user ;-)]

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list