No subject


Thu Nov 23 16:36:19 EST 2017


to as many interfaces as you choose. In that scenario, you could have
individual sensors in each interface and distribute the signatures among
them.  It also appears that it supports some type of traffic filtering per
interface.  That may prevent Snort from dropping packets.

I've never used this type of product before so I don't know how well it
works.  Anyone used their product? 

Hope this helps!

Joshua Scott
Security Systems Analyst, CISSP

-----Original Message-----
From: Travis S. [mailto:security at ...8176...] 
Sent: Thursday, January 30, 2003 4:28 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Handling of a 1 or 2 GB pipe?


Snort-Users,

I am considering using Snort to monitor traffic on a 1 Gbps internet link,
so the combined throughput of the monitored traffic would be 2 Gbps.  The
average load is 1 Gbps (combined) and it wouldn't be surprising to see
constant levels of above 1.5 Gbps.  The most likely implementation will
involve mirroring a switch port to receive the data.  The network is over 60
subnets, with 50,000+ hosts.

How well would Snort handle reviewing packets of such a link?  I basically
want to pick apart packets and examine a few key bytes to determine the
application that is used to send the data.  I'm not sure if it's possible to
do this on-the-fly, or if it would be better to log the data and analyze
from disk.

Has anyone done similar things?  Any comments on hardware requirements?
Comments overall about the concept?  Operating system suggestions (and
version?)?

Thanks,
Travis S.


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


==============================================================================
NOTICE - This communication may contain confidential and privileged 
information that is for the sole use of the intended recipient. Any viewing,
copying or distribution of, or reliance on this message by unintended
recipients is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and deleting
it from your computer.

==============================================================================

------_=_NextPart_001_01C2C8CA.F0B21C8E
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Snort-users] Handling of a 1 or 2 GB pipe?</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Check out this product from TopLayer. </FONT>
</P>

<P><FONT SIZE=3D2><A HREF=3D"http://www.toplayer.com/content/products/intru=
sion_detection/ids_balancer.jsp" TARGET=3D"_blank">http://www.toplayer.com/=
content/products/intrusion_detection/ids_balancer.jsp</A></FONT>
</P>

<P><FONT SIZE=3D2>Their product does IDS load balancing and they support gi=
gabit interfaces.  From reading their website, traffic from your SPAN/=
Monitor can be replicated to as many interfaces as you choose. In that scen=
ario, you could have individual sensors in each interface and distribute th=
e signatures among them.  It also appears that it supports some type o=
f traffic filtering per interface.  That may prevent Snort from droppi=
ng packets.</FONT></P>

<P><FONT SIZE=3D2>I've never used this type of product before so I don't kn=
ow how well it works.  Anyone used their product? </FONT>
</P>

<P><FONT SIZE=3D2>Hope this helps!</FONT>
</P>

<P><FONT SIZE=3D2>Joshua Scott</FONT>
<BR><FONT SIZE=3D2>Security Systems Analyst, CISSP</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Travis S. [<A HREF=3D"mailto:security at ...8176...">=
mailto:security at ...8176...</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, January 30, 2003 4:28 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Handling of a 1 or 2 GB pipe?</FO=
NT>
</P>
<BR>

<P><FONT SIZE=3D2>Snort-Users,</FONT>
</P>

<P><FONT SIZE=3D2>I am considering using Snort to monitor traffic on a 1 Gb=
ps internet link, so the combined throughput of the monitored traffic would=
 be 2 Gbps.  The average load is 1 Gbps (combined) and it wouldn't be =
surprising to see constant levels of above 1.5 Gbps.  The most likely =
implementation will involve mirroring a switch port to receive the data.&nb=
sp; The network is over 60 subnets, with 50,000+ hosts.</FONT></P>

<P><FONT SIZE=3D2>How well would Snort handle reviewing packets of such a l=
ink?  I basically want to pick apart packets and examine a few key byt=
es to determine the application that is used to send the data.  I'm no=
t sure if it's possible to do this on-the-fly, or if it would be better to =
log the data and analyze from disk.</FONT></P>

<P><FONT SIZE=3D2>Has anyone done similar things?  Any comments on har=
dware requirements?  Comments overall about the concept?  Operati=
ng system suggestions (and version?)?</FONT></P>

<P><FONT SIZE=3D2>Thanks,</FONT>
<BR><FONT SIZE=3D2>Travis S.</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This SF.NET email is sponsored by:</FONT>
<BR><FONT SIZE=3D2>SourceForge Enterprise Edition + IBM + LinuxWorld =3D So=
mething 2 See! <A HREF=3D"http://www.vasoftware.com" TARGET=3D"_blank">http=
://www.vasoftware.com</A> _______________________________________________</=
FONT></P>

<P><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe: <A=
 HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" TARGET=
=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</A></F=
ONT>
<BR><FONT SIZE=3D2>Snort-users list archive: <A HREF=3D"http://www.geocrawl=
er.com/redir-sf.php3?list=3Dsnort-users" TARGET=3D"_blank">http://www.geocr=
awler.com/redir-sf.php3?list=3Dsnort-users</A></FONT>
</P>

</BODY>
</HTML>
<P>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D<br>
NOTICE - This communication may contain confidential and privileged <br>
information that is for the sole use of the intended recipient. Any viewing=
,<br>
copying or distribution of, or reliance on this message by unintended<br>
recipients is strictly prohibited. If you have received this message in<br>
error, please notify us immediately by replying to the message and deleting=
<br>
it from your computer.<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D<br>
</P>

------_=_NextPart_001_01C2C8CA.F0B21C8E--





More information about the Snort-users mailing list