[Snort-users] Snort as Gigabit Sensor

Jeff jcoppock1 at ...5068...
Sat Jul 26 19:19:03 EDT 2003

Jason Haar, 2003-Jul-25 12:06 +1200:
> Jeff wrote:
> >Some other posts to this thread talk about getting the max performance
> >out of a single system, up to 300-500Mbps.  To get a full Gig (well
> >700Mbps or so anyway) of IDS traffic you'll need to load balance a
> >server farm.  Check out the Nortel Alteon Web Switches which have IDS
> >
> Can I just ask a naive question? Needing to load balance is only due to 
> the sites requiring PCI-based IDS isn't it? I mean, there are Gb IDS out 
> there - they wouldn't need load balancers would they?

Right.  Farming multiple 100-300Mbps systems and load-balancing is one

> Pretty scary: Gb Ethernet isn't exactly cutting edge these days - being 
> required to go over to load balancers must really change the budget 
> requirements...

Chad and Andrew make very good points.  If you really are pushing 1GB,
then load-balancing is one option, another option being to build a
high-speed system.  

Chad makes some great points about some advantages of load-balancers.
Providing high-availability to you IDS farm is nice.  Also, being able
to filter traffic to specific IDS systems is also nice.


Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

More information about the Snort-users mailing list