[Snort-users] High Speed Network Cards + rules?

Keith W. McCammon keith-list at ...6015...
Mon May 24 12:07:05 EDT 2004


> 	It is my understanding that most network cards at 50% capacity begin to
> miss packets and create a false negatives condition (IDS evasion technique).
> Is anyone aware of any cards that exist that collect 100% of the traffic
> with 0% false negatives due to this condition?  If not, what is the next
> best thing?

The amount of dropped packets is a function of a lot more than the card. 
  You have memory, CPU, etc.  Having a good card (Intel Pro has always 
worked very well for me--as good as any) goes a long way, but you need a 
goodly amount of RAM and CPU time to keep up if you want to push the 
limits of your network.

> 	Secondly, does anyone know of any other snort rule repositories aside from
> those presented at snort.org?

Http://whitehats.com is the largest that comes to mind.  Generally 
speaking, the more rule repositories we have, the worse off we are. 
Rules should be submitted to and classified via the snort-rules list and 
the master rules database.  You get Snort, you get *all* the rules. 
Turn 'em on and off from there.  I'm rambling...




More information about the Snort-users mailing list