[Snort-users] Snort and high performance networks
rapier at ...11836...
Thu May 20 12:14:01 EDT 2004
Esler, Joel - Contractor wrote:
> How much snort can handle is alone based on RAM, Processor, harddrive
> space, .. physical limitations. I have had a 486 on 3 x 24 mgbs
> circuits, over 4 Class B's worth of address space and it handled it
Well, this is exactly what I'm trying to find out. Is there a machine
thats powerful enough, within the bounds of reasonability, that will
allow snort to handle sustained traffic of 3.5 million pps (not
including ACKs) and still have a useful ruleset? Do we even have to
maintain a 100% sampling rate or can we get by with 75% or 50% or even
10%? Can snort handle bonded GigE channels without a problem (I would
think so but ya never know)?
Look, I know this probably sounds like someone trolling. I mean, how
many people are actually sitting on top of this much network capacity
that isn't a 1st tier provider with the ability to just throw money at
the problem? Well, that would be us (www.psc.edu and www.ncne.net).
Right now we're pushing out 800Mbit single stream tcp flows as a matter
of course (and can get above a Gbit without too much hassle) but we
never really dedicated our resources to building really strong security
(in terms of IDSes and the like)- then there was that incident not so
long ago that shut down the Grid for a while (some of you might have
read about it, it was CNN). Now every supercomputing facility and
teragrid site is scrambling to get their security up to snuff. The
problem is that we all run on grant money and redirecting resources is
super difficult. So we need to try and do as much as we can with as
little money as we can. Which is why if we can use snort - even
possibleya snort cluster - we'd like to. Thats why I'm here - might as
well start with the experts and see if they have good insight.
More information about the Snort-users