[Snort-users] Snort and high performance networks

Christopher Rapier rapier at ...11836...
Fri May 21 10:33:04 EDT 2004


To be fair, I think that 800Mbps is completely and totally possible. I  
can capture 400mbps on a  dual P3 800  - I'm not running it through  
snort but my own set of software which might be more computationally  
intensive. Now, my system isn't set up all that well - if I was smart I  
would have gotten a single proc box - the dual system just eats up too  
many interrupts - which is where my main problem is. The syskonnect  
card just throws off too many interrupts for the hardware to keep up.  
With some modifications including more aggressive interrupt coalescing,  
wedging a larger buffer into the libpcap code, and possibly some minor  
kernel mods I can see it hitting 800Mbps. Even better would be getting  
it into a more up to date box with a single proc and PCI-X.

My specific problem is that we're - essentially - an all optical house  
here so I need to use two GigE cards to capture both inbound and  
outbound - which means more hassles with interrupts and so forth and  
such not. Not a good time.

Anyway, I'll be talking with someone who used to be with Enadace and  
the DAG project over at Waikato (en zed university). I saw some of the  
work they've been doing  at the PAM 2001 conf and have been keeping an  
eye on them since. After the presentation I'll sit down and see what he  
has to say about this issue and post some highlights here.


On May 21, 2004, at 11:58 AM, snort user wrote:

> Hi,
>
> Ive snipped out some of the recent posts to this thread. Weve been  
> doing extensive research into snort speeds at my University and to me  
> it seems like these 2 posts are completely innaccurate and absurb.  
> Chad claims to capture all traffic with all rules and preprocessors  
> with a $2500 piece of hardware, while if you buy a $50,000 solution  
> from Sourcefire(home of the creator of snort) you can only get 1 Gig  
> and they disable rules and preprocessors  
> (http://osec.neohapsis.com/results/nids/sourcefire-ns3020f-2.6 
> -06.25.2003/productinfo.html).
> And then when Chris asked you your specs on your box you differ him to  
> TopLayer.
>
> Even getting 800 Mb/s as Rafael said is not impossible but  really is  
> not feasible without hardcore kernel modifcation and maybe even  
> silicon chips and ASIC cards.
>
> Would either of you like to share how your able to do this, I mean the  
> technologies and hardware you using?  Also how do you verify these  
> results?
>
> -- UoC --
>
>
> -- snip Rafael Ortega--
>> I'm currently snorting close to 800Mbps with no problem.  What to do  
>> with
>> the amount of info, is another story.  I tried ACID, but after 24  
>> hours and
>> 700,000 events registered, the data base becomes too slow, even after
>> indexing certain reference fields.
> -- end snip --
>
> -- snip Kreimendahl, Chad --
>> FWIW... I've got systems that are easily handling between 3-4Gbps  
>> each.
>> That's partially hardware, partially OS, and a little tiny config  
>> work.
>> Very near to all rules enabled on these interfaces, as well as all of
>> the preprocessors (minus the broken ones), and a database output  
>> plugin.
>>
>> 0 dropped packets.   If you check the archives for this list, you'll
>> find discussions about kernels that can do polling against network
>> devices, and how this enhances snort performance on high speed links
>> (network performance in general, really).  I believe I mention the  
>> OSes,
>> maybe some config info and hardware used.
> -- end snip --
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get it now!  
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle  
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list