[Snort-users] Snort and high performance networks

SN ORT snort_on_acid at ...131...
Fri May 21 11:15:07 EDT 2004

Are you guys ACTUALLY running traffic at 800Mbps or
even 2-3 Gbps? I mean what application or server
process that much data on the line? This dood stated
he had an OC-whatever pumping 30Gbps, and Chad asked a
very appropriate question as to how on earth anyone
would Snort that line short of buying a machine with
an OC-3 $$ (CHA-CHING!) interface stuck in it. Most
people would use Sniffer with a WAN interface and
network fiber taps to get "quick snapshots". 

Back to the 3-4Gbps line, you have 10Gbps interfaces
deployed already? How exactly are you seeing 3-4Gbps
traffic, and is it steady and what applications use
that? I mean most switches see that kind of total 
backbone traffic and you can actually use switch-based
IDS (like the one from Cisco)...unless of course you
have a 10Gbps backbone, but to where does that much
traffic travel? 



> --__--__--
> Message: 1
> From: "Rafael Ortega"
> <rafael.ortega at ...11845...>
> To: <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] Snort and high
> performance networks
> Date: Fri, 21 May 2004 08:25:47 -0500
> Hello, All
> I'm currently snorting close to 800Mbps with no
> problem.  What to do with
> the amount of info, is another story.  I tried ACID,
> but after 24 hours and
> 700,000 events registered, the data base becomes too
> slow, even after
> indexing certain reference fields.
> I've taken to log into syslog in a separate file,
> and use snortalog nightly
> to generate reports from it.  I still use
> Barnyard/ACID, but clean the
> database every 24 hours.  I use it mostly to get
> quick snapshots of current
> events.
> I'm waiting for the company's DB people to give me a
> hand. Maybe migrate
> from Mysql to something more efficient or update the
> hardware (Sun Netra T1
> with 512MB RAM doing only the DB).
> The sniffer is an Intel Xeon 2.4GHz with 1GB RAM
> running only snort and
> barnyard.
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On
> Behalf Of
> Kreimendahl, Chad J
> Sent: jueves, 20 de mayo de 2004 13:12
> To: Christopher Rapier
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort and high
> performance networks
> FWIW... I've got systems that are easily handling
> between 3-4Gbps each.
> That's partially hardware, partially OS, and a
> little tiny config work.
> Very near to all rules enabled on these interfaces,
> as well as all of
> the preprocessors (minus the broken ones), and a
> database output plugin.
> 0 dropped packets.   If you check the archives for
> this list, you'll
> find discussions about kernels that can do polling
> against network
> devices, and how this enhances snort performance on
> high speed links
> (network performance in general, really).  I believe
> I mention the OSes,
> maybe some config info and hardware used.
> If it's of any value, the machine I'm talking about
> above (handling
> >3Gbps) cost around $2500 (not sure if that's
> retail).
> -----Original Message-----
> From: Christopher Rapier [mailto:rapier at ...11836...]
> Sent: Thursday, May 20, 2004 11:32 AM
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort and high
> performance networks
> On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J
> wrote:
> >
> > Well, I'm sure there is a system out there that
> can handle this, but
> my
> > question would be:  How in the world do you expect
> to get a 30GBps
> > connection pumped to unix/win machine?   

Do you Yahoo!?
Yahoo! Domains – Claim yours for only $14.70/year

More information about the Snort-users mailing list