RE: Snort and high performance networks

["Corey Rock" <snort_sigs () hotmail com>]

Hi Rafael!

As I understand it, the underlying DB of Mysql could be the cause of 
slowness, but more likely the schema is in need of updating.....as well as 
the one for microsoft sql...

if your db's investigate, can you have them look over the schema, and see if 
that's possibly where the problem with slow db query responses might be?

and then kindly post your findings here?  !!!

Thanks!

Corey


> From: "Rafael Ortega" <rafael.ortega () telecarrier com>
>
>
> I'm waiting for the company's DB people to give me a hand. Maybe migrate
> from Mysql to something more efficient or update the hardware (Sun Netra T1
> with 512MB RAM doing only the DB).
>
> The sniffer is an Intel Xeon 2.4GHz with 1GB RAM running only snort and
> barnyard.
>
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of
> Kreimendahl, Chad J
> Sent: jueves, 20 de mayo de 2004 13:12
> To: Christopher Rapier
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Snort and high performance networks
>
>
>
> FWIW... I've got systems that are easily handling between 3-4Gbps each.
> That's partially hardware, partially OS, and a little tiny config work.
> Very near to all rules enabled on these interfaces, as well as all of
> the preprocessors (minus the broken ones), and a database output plugin.
>
> 0 dropped packets.   If you check the archives for this list, you'll
> find discussions about kernels that can do polling against network
> devices, and how this enhances snort performance on high speed links
> (network performance in general, really).  I believe I mention the OSes,
> maybe some config info and hardware used.
>
> If it's of any value, the machine I'm talking about above (handling
> >3Gbps) cost around $2500 (not sure if that's retail).
>
> -----Original Message-----
> From: Christopher Rapier [mailto:rapier () psc edu]
> Sent: Thursday, May 20, 2004 11:32 AM
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort and high performance networks
>
>
> On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J wrote:
>
> >
> > Well, I'm sure there is a system out there that can handle this, but
> my
> > question would be:  How in the world do you expect to get a 30GBps
> > connection pumped to unix/win machine?   Assuming Cisco device, you
> > might be able to pump 2 SPANS (at 1G each) to a sensor...   The other
> > two should be no problem... But that 30G on a single device... Rough
> > one.
> >
> Well, the 30GB is really just an example of the size of the networks I
> have to deal with. I don't actually think we can do much for that
> network Maybe after it gets broken up to different subnets inside of
> our network though. Anyway, the question was really about what the
> limits of snort are in terms of how much data it can handle assuming we
> can get that much data to it. Even with a minimal rule set on a fast
> unix box I wonder what we can pull off.
>
> I think other people out there must have run across using snort on
> higher speed links (say 600 to 800Mbps) and I wonder what sort of
> problems they've encountered and if their solutions might scale up to
> even higher speeds.
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
>
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id149&alloc_id
66&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Watch the online reality show Mixed Messages with a friend and enter to win 
a trip to NY 
http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users