[Snort-users] GIG IDS

Martin Roesch roesch at ...1935...
Tue Sep 12 10:48:06 EDT 2006


Snort's not hard limited anywhere but there's more to building a  
gigabit IDS than just putting it on a fast box.  Drivers, OS  
configuration, proper hardware selection and careful performance  
tuning are all required.  You can  do it with just open source  
software and off the shelf Dell/whatever gear if you're willing to  
write your own drivers for the specific NICs you're using or buying  
something like Endace cards, but even with that you've only solved  
the sensing side of the problem.  There's also the sensor management,  
data management and analysis/reporting that makes the IDS useful to  
the users, and some of that stuff is extremely non-trivial to build.

People can do the math themselves and figure out where the time/ 
convenience/money tradeoff for their organization lies, but building  
a gigabit (high packet per second) IDS is still pretty tough even on  
today's systems.

      -Marty

On Sep 12, 2006, at 9:41 AM, Donofrio, Lewis wrote:

> This can be monitored with the open source version as well, just  
> without the "pollish" - unless the open sorce version is hard  
> limited somewhere?
>
> --comments always welcomed.
> ______________________________________________________________________
> Lewis Donofrio at ...1052...
> Cell: (734) 323-8776
>
>
> ----- Original Message -----
> From: snort-users-bounces at lists.sourceforge.net <snort-users- 
> bounces at lists.sourceforge.net>
> To: Marc Appelbaum <marc.appelbaum at ...11827...>
> Cc: snort-users at lists.sourceforge.net <snort- 
> users at lists.sourceforge.net>
> Sent: Tue Sep 12 09:28:07 2006
> Subject: Re: [Snort-users] GIG IDS
>
> Marc,
>
> Thanks for writing.  You may want to look into Sourcefire  
> Commercially.  We have machines that achieve those speeds easily.  :)
>
> Joel
>
>
> On Tue, Sep 12, 2006 at 08:23:45AM -0400, Marc Appelbaum apparently  
> sent me:
> >
> >    I'm looking for any insight into successful gigabyte Snort
> >    deployments.  My network is huge multi-gigabyte environment.   
> Most of
> >    the connections to my firewalls are gig.  My Intenet  
> connections are
> >    mostly dual OC-12s.
> >    I'm thinking about using a high end Linux with say Red Hat 4 or
> >    FreeBSD with at least 4 GB RAM with a Dual Core Intel CPU.
> >    Any advice is very welcome.
> >    --Marc
>
> >  
> ---------------------------------------------------------------------- 
> ---
> > Using Tomcat but need to do more? Need to support web services,  
> security?
> > Get stuff done quickly with pre-integrated technology to make  
> your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> > http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> +--------------------------------------------------------------------- 
> +
> joel esler          senior security consultant         1-706-627-2101
> Sourcefire    Security for the /Real/ World -- http:// 
> www.sourcefire.com
>        Snort - Open Source Network IPS/IDS -- http://www.snort.org
>          gpg key: http://demo.sourcefire.com/jesler.pgp.key
>            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
> +--------------------------------------------------------------------- 
> +
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ 
> _________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060912/1679a954/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060912/1679a954/attachment.sig>


More information about the Snort-users mailing list