Snort mailing list archives
Re: Gigabit snort?
From: Jeff Nathan <jeff () snort org>
Date: Wed, 17 Apr 2002 14:48:37 -0700
Michael Cunningham wrote:
Folks, My company currently has 3x 45 mbit links to the net that I would like to monitor with snort. We plan on getting an OC12 soon. Is anyone running snort to monitor this level of traffic? We easily max out our 3x 45 mbit links during peak times. I would like to place sensors inside and outside my firewalls in order to correlate results. Can a high end x86 Linux system handle this level of traffic? I was planning on centrally logging everything to a mySQL database for analysis (I am planning 5 other sensors on my internal LAN as well). Is anyone else running a high end snort setup? I would love to get some constructive advice on a setup this size. What gigabit cards are you using? What fiber taps? Server hardware? etc.. Thanks.. Mike
Hi Mike, I thought I'd take pity on those in this situation. With a relatively beefy box you might be able to handle all three 45mb links with one sensor and a Gigabit Ethernet card. Planning for the future, you'll probably want to instead use a tap. Both Shomiti (Finisar) and Netoptics fiber taps work fine - though Finisar seems a bit clueless about Shomiti products. To connect either the Shomiti or the Netoptics fiber tap to an IDS load balancer's GBICs you'll need an analyzer "Y" cable (shown at the bottom of this pdf: http://www.netoptics.com/96042-gig.pdf). Both Top Layer and Radware claim to be able to load balance even when the connection is split between to GBICs (as it will be when coming off the analyzer port on a tap). The hardware of course is up to you. (We can talk offline if you have further questions.) I hope this is helpful. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Placement of Snort IDS Kenny D (Apr 10)
- <Possible follow-ups>
- RE: Placement of Snort IDS Sheahan, Paul (PCLN-NW) (Apr 10)
- Gigabit snort? Michael Cunningham (Apr 10)
- Re: Gigabit snort? Frank Knobbe (Apr 13)
- Re: Gigabit snort? Jeff Nathan (Apr 17)
- Gigabit snort? Michael Cunningham (Apr 10)
- Placement of Snort IDS Kenny D (Apr 14)
- Re: Placement of Snort IDS Erek Adams (Apr 14)