[Snort-users] Snort and high performance networks
rapier at ...11836...
Fri May 21 10:33:04 EDT 2004
To be fair, I think that 800Mbps is completely and totally possible. I
can capture 400mbps on a dual P3 800 - I'm not running it through
snort but my own set of software which might be more computationally
intensive. Now, my system isn't set up all that well - if I was smart I
would have gotten a single proc box - the dual system just eats up too
many interrupts - which is where my main problem is. The syskonnect
card just throws off too many interrupts for the hardware to keep up.
With some modifications including more aggressive interrupt coalescing,
wedging a larger buffer into the libpcap code, and possibly some minor
kernel mods I can see it hitting 800Mbps. Even better would be getting
it into a more up to date box with a single proc and PCI-X.
My specific problem is that we're - essentially - an all optical house
here so I need to use two GigE cards to capture both inbound and
outbound - which means more hassles with interrupts and so forth and
such not. Not a good time.
Anyway, I'll be talking with someone who used to be with Enadace and
the DAG project over at Waikato (en zed university). I saw some of the
work they've been doing at the PAM 2001 conf and have been keeping an
eye on them since. After the presentation I'll sit down and see what he
has to say about this issue and post some highlights here.
On May 21, 2004, at 11:58 AM, snort user wrote:
> Ive snipped out some of the recent posts to this thread. Weve been
> doing extensive research into snort speeds at my University and to me
> it seems like these 2 posts are completely innaccurate and absurb.
> Chad claims to capture all traffic with all rules and preprocessors
> with a $2500 piece of hardware, while if you buy a $50,000 solution
> from Sourcefire(home of the creator of snort) you can only get 1 Gig
> and they disable rules and preprocessors
> And then when Chris asked you your specs on your box you differ him to
> Even getting 800 Mb/s as Rafael said is not impossible but really is
> not feasible without hardcore kernel modifcation and maybe even
> silicon chips and ASIC cards.
> Would either of you like to share how your able to do this, I mean the
> technologies and hardware you using? Also how do you verify these
> -- UoC --
> -- snip Rafael Ortega--
>> I'm currently snorting close to 800Mbps with no problem. What to do
>> the amount of info, is another story. I tried ACID, but after 24
>> hours and
>> 700,000 events registered, the data base becomes too slow, even after
>> indexing certain reference fields.
> -- end snip --
> -- snip Kreimendahl, Chad --
>> FWIW... I've got systems that are easily handling between 3-4Gbps
>> That's partially hardware, partially OS, and a little tiny config
>> Very near to all rules enabled on these interfaces, as well as all of
>> the preprocessors (minus the broken ones), and a database output
>> 0 dropped packets. If you check the archives for this list, you'll
>> find discussions about kernels that can do polling against network
>> devices, and how this enhances snort performance on high speed links
>> (network performance in general, really). I believe I mention the
>> maybe some config info and hardware used.
> -- end snip --
> FREE pop-up blocking with the new MSN Toolbar get it now!
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users