Re: Snort as Gigabit Sensor

[Bennett Todd <bet () rahul net>]

2003-07-24T14:43:39 Banniza Robert:
> Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
> sensor?

Not this year.

Expect to hit a flat out impenetrable wall at c. 300Mbps for a
PCI-bus NIC, possibly as much as 550-600 for PCIx. These limits seem
to show up consistently, I've heard 'em from a lot of different
souces.

To approach those speeds you should

 - run on unnumbered interface in promisc --- you don't want the
   OS's IP stack analyzing the traffic (hence TCP tuning won't help)

 - use snort 2

 - give it plenty of ram (512MB is a good idea, cheap as ram is go
   ahead and give it a GB for future-proofing)

 - get the ring-buffered libpcap for Linux

 - go through the preprocessors, seeing which ones you can do
   without

 - tune the config --- this is not optional if you want to hit
   multiple-hundred-mbps performance realms. Dial out false
   positives, get the alarm-generation rate down to something
   reasonable. Adjust the *_NET, *_SERVERS, *_PORTS tuning vars in
   snort.conf. #-out rules files you're not actively interested in.
   Examine the individual rules in the files you're including and
   eliminate any that don't apply to platforms you use.

Once you've gone down that road, a modern hot box ought to be able
to snort at bus speed limit (c. 300/550 Mbps as mentioned above).
Next year's hot box with a faster interface to the NIC may well be
able to do an honest Gbps. Maybe. I'll believe it when I see it:-).

-Bennett

Attachment: _bin
Description: