[Snort-users] Deployment Sizes? was: anyone trying kickfire to improve SQL performance?

Joel Esler joel.esler at ...1935...
Sun May 4 09:43:39 EDT 2008


Just remember that dropping packets in Snort's case could possibly be  
detrimental to some of the preprocessors.  You want to shoot for 0%  
dropped packets in anything that you do.

I do believe that you are getting too big on that one box.  Snort  
isn't multi-core aware (yet), and while it helps to have a very  
powerful machine, there are limitations at some point without custom  
software to handle it.

J

On May 3, 2008, at 9:40 PM, Stewart L wrote:

> I figured we'd add until we start dropping too many packets.   The  
> CPU load on each core is only about 45% right now and we're dropping  
> less than 1% of packets through the box.  We're also doing some  
> processor affinity stuff and dedicating a couple cores to SQL and  
> each instance of snort gets it's own core as well.
>
> I'd be interested in hearing from other folks doing large setups...
>
> Stewart
>
>
> On Sat, May 3, 2008 at 5:13 PM, Jason Haar  
> <Jason.Haar at ...294...> wrote:
> Stewart L wrote:
> > Well, I wasn't in charge of the deployment. I handed it off to one  
> of
> > the guys on my team to do the research and recommendations.
> >
> > Part of the problem is that there is no SOLID advice out there on  
> how
> > to set up and tweak a lot of this stuff.  We have the oreilly books
> > and have done some searches, but there is a lot of hand waving and  
> not
> > a lot of solid answers.
>
> There are too many variables for there to be a "one size fits all"
> answer. That's why companies like SourceFire exist - they do all that
> background 'thinking' for you and produce a product that 'just works'.
>
> You should check the solution you have actually works. 6-16 100Mbs
> Ethernet monitors on one box is probably too many. Unless you've
> cherry-picked the motherboard,Ethernet cards, etc. And I'm assuming
> they're 100M - if they are Gb - you almost certainly have a problem.
>
>
> >
> > So, you're saying that if I were to have another machine do the  
> actual
> > capture and a separate database machine, I'd be better off in the  
> long
> > haul?  That should be pretty easy to set up.
> >
> Yup - you won't get all the hard SQL work interfering with the hard
> packet sniffing work. And barnyard of course instead of native SQL  
> support.
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save  
> $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -- 
> Stewart
>
> The revolution will not be televised.
> The revolution will be no re-run brothers;
> The revolution will be live.  
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save  
> $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler  joel.esler at ...1935...




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080504/534707f8/attachment.html>


More information about the Snort-users mailing list