[Snort-users] Advice on quad ethernet card
taosecurity at ...11827...
Fri Nov 19 13:23:09 EST 2004
Darden, Patrick S. wrote:
> I don't think this is a good idea. You will see a lot of drops if you have
> any amount of traffic at all.
Hello Patrick D and Patrick M,
I disagree with this opinion, but I respect your caution. Still, if
"a lot of drops" occurred with "any amount of traffic at all," how
could vendors ever sell quad NICs?
Your Snort performance is a function of the following components:
- Hard drive
- PCI bus
- NIC quality
- Sensor OS
- Snort Configuration
These are not in any particular order.
Choosing a high-quality quad NIC -- or any NIC -- is important. (Ask
old Realtek owners.)
I've had good quad NIC capture results for 10/100 Mbps with the
Adaptec ANA-62044.  The ANA-62044 isn't sold new, so Adaptec's
upgrade product is a 66 MHz 64 bit card.  The ANA-62044 is a 33
MHz 64 bit card.
I believe Intel makes some of the best NICs around, but their current
quad NIC is a gigabit card.  For that reason I would avoid it,
unless you conduct rigorous testing. When you start thinking you can
monitor multiple gigabit links with a quad NIC, you need to be using a
robust PCI-X bus and not regular PCI, plus carefully handling all of
the other performance factors listed earlier.
Patrick D's recommendation of using two dual NICs might also work.
I've used Intel PRO/100+ Dual Port Server Adapters (PILA8472),
although I had to replace one of them after a hardware failure.
Intel's new dual NICs are either 10/100 Mbps crypto-enabled models or
gigabit models. [3, 4]
Whatever you decide, you should try building a test sensor and see how
it performs in your environment.
More information about the Snort-users