RE: Snort and high performance networks

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

I saw someone recommend a TopLayer device, and they are nice.   I'd say
if budget it tight, then they're definitely way out of your league.  We
had one in and tested it for a few months, and it did everything they
said it would.  I'd definitely recommend it... if you can afford it 


-----Original Message-----
From: Chris Rapier [mailto:rapier () psc edu] 
Sent: Thursday, May 20, 2004 2:13 PM
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and high performance networks

Esler, Joel - Contractor wrote:
> How much snort can handle is alone based on RAM, Processor, harddrive
> space, .. physical limitations.  I have had a 486 on 3 x 24 mgbs
> circuits, over 4 Class B's worth of address space and it handled it
> fine.

Well, this is exactly what I'm trying to find out. Is there a machine 
thats powerful enough, within the bounds of reasonability, that will 
allow snort to handle sustained traffic of 3.5 million pps (not 
including ACKs) and still have a useful ruleset? Do we even have to 
maintain a 100% sampling rate or can we get by with 75% or 50% or even 
10%? Can snort handle bonded GigE channels without a problem (I would 
think so but ya never know)?

Look, I know this probably sounds like someone trolling. I mean, how 
many people are actually sitting on top of this much network capacity 
that isn't a 1st tier provider with the ability to just throw money at 
the problem? Well, that would be us (www.psc.edu and www.ncne.net).

Right now we're pushing out 800Mbit single stream tcp flows as a matter 
of course (and can get above a Gbit without too much hassle) but we 
never really dedicated our resources to building really strong security 
(in terms of IDSes and the like)- then there was that incident not so 
long ago that shut down the Grid for a while (some of you might have 
read about it, it was CNN). Now every supercomputing facility and 
teragrid site is scrambling to get their security up to snuff. The 
problem is that we all run on grant money and redirecting resources is 
super difficult. So we need to try and do as much as we can with as 
little money as we can. Which is why if we can use snort - even 
possibleya snort cluster - we'd like to. Thats why I'm here - might as 
well start with the experts and see if they have good insight.

chris



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users