[Snort-users] Snort and high performance networks

Chris Rapier rapier at ...11836...
Thu May 20 12:14:01 EDT 2004


Esler, Joel - Contractor wrote:
> How much snort can handle is alone based on RAM, Processor, harddrive
> space, .. physical limitations.  I have had a 486 on 3 x 24 mgbs
> circuits, over 4 Class B's worth of address space and it handled it
> fine.

Well, this is exactly what I'm trying to find out. Is there a machine 
thats powerful enough, within the bounds of reasonability, that will 
allow snort to handle sustained traffic of 3.5 million pps (not 
including ACKs) and still have a useful ruleset? Do we even have to 
maintain a 100% sampling rate or can we get by with 75% or 50% or even 
10%? Can snort handle bonded GigE channels without a problem (I would 
think so but ya never know)?

Look, I know this probably sounds like someone trolling. I mean, how 
many people are actually sitting on top of this much network capacity 
that isn't a 1st tier provider with the ability to just throw money at 
the problem? Well, that would be us (www.psc.edu and www.ncne.net).

Right now we're pushing out 800Mbit single stream tcp flows as a matter 
of course (and can get above a Gbit without too much hassle) but we 
never really dedicated our resources to building really strong security 
(in terms of IDSes and the like)- then there was that incident not so 
long ago that shut down the Grid for a while (some of you might have 
read about it, it was CNN). Now every supercomputing facility and 
teragrid site is scrambling to get their security up to snuff. The 
problem is that we all run on grant money and redirecting resources is 
super difficult. So we need to try and do as much as we can with as 
little money as we can. Which is why if we can use snort - even 
possibleya snort cluster - we'd like to. Thats why I'm here - might as 
well start with the experts and see if they have good insight.

chris





More information about the Snort-users mailing list