[Snort-users] Super Fast Snort Considerations

Jaime Nebrera jnebrera at ...16842...
Mon Aug 31 04:00:40 EDT 2015


   Hi Charles, it seems you are mixing a bit.

   To have a sensor capable of holding 100Gbps in Snort you need some 
serious stuff, sepcialized hardware, I guess hardware offloading, etc etc

   But you also name BY2. This is a different ball game. To be able to 
manage the events produced by such amount of traffic (in this case 
combining multiple probes) you will need also some serious beef, but the 
are alternatives there too, both based on SQL and Big Data



El 30/08/15 a las 18:32, Joel Esler (jesler) escribió:
> To do 100 Gb/s, you'd need specialized hardware and flow-pinning to 
> divide the traffic amongst several different copies of Snort.  Our 
> firePOWER devices achieve these speeds, but with a lot of specialized 
> code.
>
> --
> *Joel Esler*
> Manager, Threat Intelligence and Open Source
> Talos Group
> Sent from my iPhone
>
> On Aug 30, 2015, at 10:41 AM, Davison, Charles Robert 
> <cdaviso1 at ...17214... <mailto:cdaviso1 at ...17214...>> wrote:
>
>> Good Morning,
>>
>> I was wondering what everyone is using in production for processing 
>> snort data at high throughput. We will need to process up to 100Gb/s. 
>> I had considered using Packet Pig but don’t know if it’s still 
>> viable, the neat thing about it was that it leveraged Hadoop? We ran 
>> into performance issues with Snorby and I’m leaning towards just a 
>> basic snort install forwarding alerts to our syslog server to be 
>> processed by our SEIM tool… any suggestions? If we used By2 I’m not 
>> sure it could handle the data. Hardware/Architecture design 
>> specifications would be much appreciated.
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> <mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150831/840637a8/attachment.html>


More information about the Snort-users mailing list