Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SourceFire Appliance 3D9900 capabilities

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 14 Apr 2011 08:27:19 -0400
There is no integer answer to that question for any IPS. If any IPS
vender ever tells you differently, you should just get up and walk out
of the room.

It depends on what kind of traffic the sensor would see (not just the
volume), what is the quality of that traffic from a
fragmentation/session perspective, what do you want to look
for/protect from, number of resources given to a detection engine,
what preprocessors will you need to run, number of ports that need to
be tracked by stream5, and what the overhead of the rules your running
are... just to name a few.

In SF devices, each rule has a "Rule Overhead" rating (low, medium,
high, very high). While this probably isn't a scientific numerical
rating (correct me if I'm wrong here), it isn't some random attribute
either. You would probably be able to run far fewer "Very High" rules
than "Low" rules (hmmm that gives me an idea for a feature request).

Thx,
Wally

On Thu, Apr 14, 2011 at 7:40 AM, d a <xstoneheartx () yahoo com> wrote:

Dose anybody know, how many enabled rules are supported with SourceFire
Appliance 3D9900 on 10 gbps traffic rate?

________________________________
From: Martin Holste <mcholste () gmail com>
To: d a <xstoneheartx () yahoo com>
Cc: Nigel Houghton <nhoughton () sourcefire com>;
snort-devel () lists sourceforge net
Sent: Sat, April 9, 2011 8:30:13 AM
Subject: Re: [Snort-devel] using snort for 10Gbps traffic rate

My rule of thumb thus far has been that on commodity hardware with
PF_RING, you can run 1000 signatures per 500 Mb/sec of traffic per
Snort instance before you start dropping packets.  You want to run
20x500, so I would think that a single Snort instance could run 50
signatures at 10 gig.  However, you're definitely going to need
PF_RING or TNAPI and a recent network card, or better yet a 10 gig
Endace DAG card to process packet headers at 10 gig.  Also,
preprocessors will take a heavy toll; I cannot vouch for a Snort
process running even zero rules with all preprocessors turned on to
perform at 10 gig with no drops.  If anyone on the list has
successfully run a single Snort instance against a full 10 gig
line-speed of real-world traffic, I'd like to hear it.  Many run at
the 1-3 Gb/sec range, but few run at full 10 gig line-speed.

Something to consider: the PF_RING DAQ module allows multiple Snort
processes to load balance the traffic so that you can have a cluster
of Snort instances on a single machine.  DAG cards allow a similar
load-balancing to occur.

On Fri, Apr 8, 2011 at 10:39 PM, d a <xstoneheartx () yahoo com> wrote:

Hi,

Can the snort2-9 package be used for protecting 10Gbps traffic rate
without
need to use parallel snort sensors and breaking (splitting) traffic
between
them? Can a single snort engine handle this rate? If yes, so still with
the
assumption of no limitation in hardware and simplest configuration, how
many
rules approximately can be enabled to handle this rate with acceptable
packet drops rate, acceptable CPU usage,…?

The reason that I insist on this topic is because what I found in
documents
and papers about snort performance and its supported rate, all were about
less that 1Gbps and there were some solutions to develop a hardware
accelerator for it to support 10Gbps rate.



Thank you very much for your helps.

________________________________
From: Nigel Houghton <nhoughton () sourcefire com>
To: d a <xstoneheartx () yahoo com>
Cc: matan monitz <mmonitz () gmail com>; snort-devel () lists sourceforge net
Sent: Tue, April 5, 2011 7:49:53 PM
Subject: Re: [Snort-devel] using snort for an IDS/IPS appliance

On Tue, 5 Apr 2011 07:37:38 -0700 (PDT), d a wrote:

I know that sourcefire has a product for this purpose but that is a
commercial product while what we want to do is not a commercial
project it's an experimental and research project and as far as I
know sourcefire is using another generation of snort (3D) for their
appliance not exclusively snort2-9  software.


The Snort that is on a Sourcefire appliance is the same Snort that you
can download from snort.org. There is no "special Snort".

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/




------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel




------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel




------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: