[Snort-users] Snort and high performance networks

Christopher Rapier rapier at ...11836...
Thu May 20 09:32:08 EDT 2004

On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J wrote:

> Well, I'm sure there is a system out there that can handle this, but my
> question would be:  How in the world do you expect to get a 30GBps
> connection pumped to unix/win machine?   Assuming Cisco device, you
> might be able to pump 2 SPANS (at 1G each) to a sensor...   The other
> two should be no problem... But that 30G on a single device... Rough
> one.
Well, the 30GB is really just an example of the size of the networks I 
have to deal with. I don't actually think we can do much for that 
network Maybe after it gets broken up to different subnets inside of 
our network though. Anyway, the question was really about what the 
limits of snort are in terms of how much data it can handle assuming we 
can get that much data to it. Even with a minimal rule set on a fast 
unix box I wonder what we can pull off.

I think other people out there must have run across using snort on 
higher speed links (say 600 to 800Mbps) and I wonder what sort of 
problems they've encountered and if their solutions might scale up to 
even higher speeds.

