[Snort-users] Snort on a Gigabit Bandwidth
TRIBUT Mickael OF/DTRS
mickael.tribut at ...11801...
Mon Aug 16 08:43:08 EDT 2004
Hum thancks for your response :)
But i don't understand ".... why isn't this in the FAQ?" , what do you mean ???
1, rue du Centre
93196 Noisy-le-Grand Cedex
Tél. : 01 48 15 75 85
Mail : mickael.tribut at ...11801...
De : Erik Fichtner [mailto:emf at ...367...]
Envoyé : lundi 16 août 2004 17:37
À : TRIBUT Mickael OF/DTRS
Cc : snort-users at lists.sourceforge.net
Objet : Re: [Snort-users] Snort on a Gigabit Bandwidth
-----BEGIN PGP SIGNED MESSAGE-----
.... why isn't this in the FAQ?
On Mon, Aug 16, 2004 at 04:28:21PM +0200, TRIBUT Mickael OF/DTRS wrote:
> I want to configure a snort sond on a gigabit bandwidth and I know that snort only support 100 mb
> What could i do ???
> Indeed Libpcap librairy doesn't support gigabit, however i know that a patch for this kind if librairy exists !
Pick your poison:
> I also need an example of typical hardware pc for this sort of configuration !!
There isn't a typical config. You'll need to examine your hardware options
in great detail.
You need the best PCI-X backplane bandwidth you can get (go after
server motherboards, not desktop. 66MHz PCI is only good to 400MBit/sec.
You're going to need 133MHz PCI-X).
You need as much memory as you can stand to hold your MMAP working
set as well as good memory performance (Xeon boxes are pretty good at this,
I don't know about the AMD offerings.).
You need great low-latency server network adapter(s) (133MHz PCI-X).
And keep in mind that your capture options will limit you further. Taps
require multiple NICs or some kind of aggregation system and span/mirror ports
sometimes arn't quite up to the task of a full gig of duplicated traffic.
Low end switches often don't have much more than a couple gig of internal BW
Another thing to keep in mind is that many loadbalancers can split streams
to multiple sensors so you arn't required to have one system tuned to
theoretical maximum performance. If you really have a gigabit IDS
requirement, you can probably justify two or three smaller systems that can
each soak up a few hundreds of megabits/sec each.
Good luck on your quest for 62.5MBytes/sec.
Principal Engineer, Information Security, ServerVault Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the Snort-users