[Snort-users] Super Fast Snort Considerations

Joel Esler (jesler) jesler at ...589...
Mon Aug 31 10:42:09 EDT 2015


It’s definitely possible.  It’s just not easy to do.




--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com

On Aug 31, 2015, at 10:32 AM, Davison, Charles Robert <cdaviso1 at ...17214...<mailto:cdaviso1 at ...17214...>> wrote:

Good Morning,

We wanted to deploy the snort installation along side our bro hardware configuration: https://commons.lbl.gov/display/cpp/100G+Intrusion+Detection
100G Intrusion Detection - Cyber Security Website Cyber Security Website
After extensive evaluation, deployment and testing, the Berkeley Lab Cyber Security Team brought our 100G capable network monitoring system online in January 2015.  We created the following technical document to help other security teams and interested in
Read more...<https://commons.lbl.gov/display/cpp/100G+Intrusion+Detection>

I was wondering if Packet Pig was still a viable source for processing Big Data. Our data centers could grow up to 400Gb/s and we wanted it to be virtualized.

Joel,

If this is not possible by open source means we will consider the FirePower appliances.



CHARLES R. DAVISON
(865)730-0078
cdaviso1 at ...17214...<mailto:cdaviso1 at ...17214...>



________________________________
From: Jaime Nebrera <jnebrera at ...16842...<mailto:jnebrera at ...16842...>>
Sent: Monday, August 31, 2015 2:00 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Super Fast Snort Considerations

  Hi Charles, it seems you are mixing a bit.

  To have a sensor capable of holding 100Gbps in Snort you need some serious stuff, sepcialized hardware, I guess hardware offloading, etc etc

  But you also name BY2. This is a different ball game. To be able to manage the events produced by such amount of traffic (in this case combining multiple probes) you will need also some serious beef, but the are alternatives there too, both based on SQL and Big Data



El 30/08/15 a las 18:32, Joel Esler (jesler) escribió:
To do 100 Gb/s, you'd need specialized hardware and flow-pinning to divide the traffic amongst several different copies of Snort.  Our firePOWER devices achieve these speeds, but with a lot of specialized code.

--
Joel Esler
Manager, Threat Intelligence and Open Source
Talos Group
Sent from my iPhone

On Aug 30, 2015, at 10:41 AM, Davison, Charles Robert <cdaviso1 at ...17214...<mailto:cdaviso1 at ...17214...>> wrote:

Good Morning,



I was wondering what everyone is using in production for processing snort data at high throughput. We will need to process up to 100Gb/s. I had considered using Packet Pig but don’t know if it’s still viable, the neat thing about it was that it leveraged Hadoop? We ran into performance issues with Snorby and I’m leaning towards just a basic snort install forwarding alerts to our syslog server to be processed by our SEIM tool… any suggestions? If we used By2 I’m not sure it could handle the data. Hardware/Architecture design specifications would be much appreciated.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



------------------------------------------------------------------------------




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150831/876fa170/attachment.html>


More information about the Snort-users mailing list