[Snort-users] Snort on a Gigabit Bandwidth

Erik Fichtner emf at ...367...
Mon Aug 16 08:38:24 EDT 2004

Hash: SHA1

.... why isn't this in the FAQ?   

On Mon, Aug 16, 2004 at 04:28:21PM +0200, TRIBUT Mickael OF/DTRS wrote:
> I want to configure a snort sond on a gigabit bandwidth and I know that snort only support 100 mb
> What could i do ???
> Indeed Libpcap librairy doesn't support gigabit, however i know that a patch for this kind if librairy exists !

Pick your poison:


> I also need an example of typical hardware pc for this sort of configuration !!

There isn't a typical config.  You'll need to examine your hardware options
in great detail.  

	You need the best PCI-X backplane bandwidth you can get (go after 
server motherboards, not desktop.  66MHz PCI is only good to 400MBit/sec.
You're going to need 133MHz PCI-X).

	You need as much memory as you can stand to hold your MMAP working 
set as well as good memory performance (Xeon boxes are pretty good at this, 
I don't know about the AMD offerings.).

	You need great low-latency server network adapter(s) (133MHz PCI-X).

And keep in mind that your capture options will limit you further.  Taps
require multiple NICs or some kind of aggregation system and span/mirror ports
sometimes arn't quite up to the task of a full gig of duplicated traffic. 
Low end switches often don't have much more than a couple gig of internal BW

Another thing to keep in mind is that many loadbalancers can split streams
to multiple sensors so you arn't required to have one system tuned to 
theoretical maximum performance.    If you really have a gigabit IDS 
requirement, you can probably justify two or three smaller systems that can
each soak up a few hundreds of megabits/sec each.

Good luck on your quest for 62.5MBytes/sec. 

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
Version: GnuPG v1.0.7 (FreeBSD)


More information about the Snort-users mailing list