[Snort-users] Snort and high performance networks

Rafael Ortega rafael.ortega at ...11845...
Fri May 21 06:26:02 EDT 2004


Hello, All

I'm currently snorting close to 800Mbps with no problem.  What to do with
the amount of info, is another story.  I tried ACID, but after 24 hours and
700,000 events registered, the data base becomes too slow, even after
indexing certain reference fields.

I've taken to log into syslog in a separate file, and use snortalog nightly
to generate reports from it.  I still use Barnyard/ACID, but clean the
database every 24 hours.  I use it mostly to get quick snapshots of current
events.

I'm waiting for the company's DB people to give me a hand. Maybe migrate
from Mysql to something more efficient or update the hardware (Sun Netra T1
with 512MB RAM doing only the DB).

The sniffer is an Intel Xeon 2.4GHz with 1GB RAM running only snort and
barnyard.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
Kreimendahl, Chad J
Sent: jueves, 20 de mayo de 2004 13:12
To: Christopher Rapier
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort and high performance networks



FWIW... I've got systems that are easily handling between 3-4Gbps each.
That's partially hardware, partially OS, and a little tiny config work.
Very near to all rules enabled on these interfaces, as well as all of
the preprocessors (minus the broken ones), and a database output plugin.

0 dropped packets.   If you check the archives for this list, you'll
find discussions about kernels that can do polling against network
devices, and how this enhances snort performance on high speed links
(network performance in general, really).  I believe I mention the OSes,
maybe some config info and hardware used.

If it's of any value, the machine I'm talking about above (handling
>3Gbps) cost around $2500 (not sure if that's retail).

-----Original Message-----
From: Christopher Rapier [mailto:rapier at ...11836...]
Sent: Thursday, May 20, 2004 11:32 AM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and high performance networks


On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J wrote:

>
> Well, I'm sure there is a system out there that can handle this, but
my
> question would be:  How in the world do you expect to get a 30GBps
> connection pumped to unix/win machine?   Assuming Cisco device, you
> might be able to pump 2 SPANS (at 1G each) to a sensor...   The other
> two should be no problem... But that 30G on a single device... Rough
> one.
>
Well, the 30GB is really just an example of the size of the networks I
have to deal with. I don't actually think we can do much for that
network Maybe after it gets broken up to different subnets inside of
our network though. Anyway, the question was really about what the
limits of snort are in terms of how much data it can handle assuming we
can get that much data to it. Even with a minimal rule set on a fast
unix box I wonder what we can pull off.

I think other people out there must have run across using snort on
higher speed links (say 600 to 800Mbps) and I wonder what sort of
problems they've encountered and if their solutions might scale up to
even higher speeds.



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list