Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Looking for recommendations for distributed Snort GiGE Sensors (network architecture described in message)

From: "Tim" <tim () otten co uk>
Date: Tue, 9 Dec 2003 13:11:52 -0000
Although I am not an expert on snort at high speeds, I have read of several
problems with high speed situations. First of all I doubt very much that
using a 33MHz bus is a good idea. I would go for PCI-X 2.0+ or at least
PCI-X. Also you would need to run a custom version of Libpcap. And the
database server I believe would need to be scsi & raid configuration with
plenty of ram.  This Post may Help:

'I'm working to optimize Snort on a gigabit Ethernet connection. The system
is a dual 2.8ghz Xeon Dell PowerEdge with a gig of RAM, Phil Wood's Libpcap
8 library, running Snort 2.04. I've paired down the rule set eliminating
most irrelevant rules for this subnet. I am using a Cisco Catalyst 4000
series switch to mirror (SPAN) all traffic on the switch to the dedicated
promiscuous Intel e1000 adapter in the Snort system. The average traffic
utilization of the switch is under 15% but I'm still dropping up to 40% of
packets. I'm also using the unified log and alert output facilities and
mudpit to process the logs. Snort is not doing any other type of logging.

 

Today I also noticed that Snort is consuming 99.9% of one of the 2.8ghz
processors (I know Snort is not SMP capable yet). My question is: is that
unusual? I'm surprised it's pegging a 2.8ghz processor. Am I using CPU
intensive preprocessors? Any wisdom from fellow Snorters would be most
appreciated. I'm working to compile the latest Intel e1000 driver now to see
if that helps.'

Regards

Tim Otten


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Landon Stewart
Sent: 09 December 2003 07:49
To: snort-users () lists sourceforge net
Subject: [Snort-users] Looking for recommendations for distributed Snort
GiGE Sensors (network architecture described in message)

Any recommendations on hardware (for now) are greatly appreciated.  Cost 
effectiveness is important so a minimum to do the job.  I don't want to get 
into load balancing on multiple 100mbit links if possible as the iron is 
too costly.

- I've seen discussion about bus speeds and the maximum data that can be 
processed with those bus speeds.  What is my minimum?  Could I get away 
with 33MHz bus?
- What if I use fiber GiGE links?

Network description (hardware/throughput):

NOC 1:
        Router - CORE1   - Cisco 12008 GSR
                PIPE    1 Gbit/s
                AVG     140 Mbit/s
                PEAK    184 Mbit/s
        Router - CORE2   - Cisco 12008 GSR
                PIPE    1 Gbit/s
                AVG     102 Mbit/s
                PEAK    180 Mbit/s
Both routers distribute traffic to their own distribution switches (each 
one is a CAT5513)
Visualize this at: http://nsssc.superb.net/img/dca1-fall2003.gif

NOC 2:
        Router - CORE1 - Cisco 12012 GSR
                PIPE    1 Gbit/s
                AVG     110 Mbit/s
                PEAK    130 Mbit/s
        Router - CORE2   - Cisco 12012 GSR
                PIPE    1 Gbit/s
                AVG     200 Mbit/s
                PEAK    280 Mbit/s
Both routers distribute traffic to their own distribution switches (each 
one is a CAT4912G)
Visualize this at: http://nsssc.superb.net/img/dca2-fall2003.gif

- If you could look at the URL's listed to visualize the networks, where 
would the best place be to put mirrored sensors and what kind of hardware 
would I require?
- What kind of requirements would I need for the centralized database 
system to store the alerts given the amount of IDS data that might be 
produced?  Does it need SCSI or striped RAID?  Could I get away with a good 
SCSI drive and some good RAM?
- Other than ACID what are the other *good* analysis consoles?


I had thought maybe EACH core router (or distribution switch) would require:
        1 x fast machine like a DUAL 2.4GHz with 1GB of RAM
        1 x GiGE interface (fiber?)

- Could I get away with one sensor for each NOC and each of those sensors 
would have two GiGE interfaces or would that be too much data to 
process?  I doubt I could do two CORE routers on one machine but what do 
you think?
        
More complete network architecture information can be found at:
http://nsssc.superb.net/information/dca1net-info.php and
http://nsssc.superb.net/information/dca2net-info.php

Thank you to anyone who responds with any information!



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: