Snort mailing list archives
Re: SourceFire Appliance 3D9900 capabilities
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 14 Apr 2011 08:27:19 -0400
There is no integer answer to that question for any IPS. If any IPS vender ever tells you differently, you should just get up and walk out of the room. It depends on what kind of traffic the sensor would see (not just the volume), what is the quality of that traffic from a fragmentation/session perspective, what do you want to look for/protect from, number of resources given to a detection engine, what preprocessors will you need to run, number of ports that need to be tracked by stream5, and what the overhead of the rules your running are... just to name a few. In SF devices, each rule has a "Rule Overhead" rating (low, medium, high, very high). While this probably isn't a scientific numerical rating (correct me if I'm wrong here), it isn't some random attribute either. You would probably be able to run far fewer "Very High" rules than "Low" rules (hmmm that gives me an idea for a feature request). Thx, Wally On Thu, Apr 14, 2011 at 7:40 AM, d a <xstoneheartx () yahoo com> wrote:
Dose anybody know, how many enabled rules are supported with SourceFire Appliance 3D9900 on 10 gbps traffic rate? ________________________________ From: Martin Holste <mcholste () gmail com> To: d a <xstoneheartx () yahoo com> Cc: Nigel Houghton <nhoughton () sourcefire com>; snort-devel () lists sourceforge net Sent: Sat, April 9, 2011 8:30:13 AM Subject: Re: [Snort-devel] using snort for 10Gbps traffic rate My rule of thumb thus far has been that on commodity hardware with PF_RING, you can run 1000 signatures per 500 Mb/sec of traffic per Snort instance before you start dropping packets. You want to run 20x500, so I would think that a single Snort instance could run 50 signatures at 10 gig. However, you're definitely going to need PF_RING or TNAPI and a recent network card, or better yet a 10 gig Endace DAG card to process packet headers at 10 gig. Also, preprocessors will take a heavy toll; I cannot vouch for a Snort process running even zero rules with all preprocessors turned on to perform at 10 gig with no drops. If anyone on the list has successfully run a single Snort instance against a full 10 gig line-speed of real-world traffic, I'd like to hear it. Many run at the 1-3 Gb/sec range, but few run at full 10 gig line-speed. Something to consider: the PF_RING DAQ module allows multiple Snort processes to load balance the traffic so that you can have a cluster of Snort instances on a single machine. DAG cards allow a similar load-balancing to occur. On Fri, Apr 8, 2011 at 10:39 PM, d a <xstoneheartx () yahoo com> wrote:Hi, Can the snort2-9 package be used for protecting 10Gbps traffic rate without need to use parallel snort sensors and breaking (splitting) traffic between them? Can a single snort engine handle this rate? If yes, so still with the assumption of no limitation in hardware and simplest configuration, how many rules approximately can be enabled to handle this rate with acceptable packet drops rate, acceptable CPU usage,…? The reason that I insist on this topic is because what I found in documents and papers about snort performance and its supported rate, all were about less that 1Gbps and there were some solutions to develop a hardware accelerator for it to support 10Gbps rate. Thank you very much for your helps. ________________________________ From: Nigel Houghton <nhoughton () sourcefire com> To: d a <xstoneheartx () yahoo com> Cc: matan monitz <mmonitz () gmail com>; snort-devel () lists sourceforge net Sent: Tue, April 5, 2011 7:49:53 PM Subject: Re: [Snort-devel] using snort for an IDS/IPS appliance On Tue, 5 Apr 2011 07:37:38 -0700 (PDT), d a wrote:I know that sourcefire has a product for this purpose but that is a commercial product while what we want to do is not a commercial project it's an experimental and research project and as far as I know sourcefire is using another generation of snort (3D) for their appliance not exclusively snort2-9 software.The Snort that is on a Sourcefire appliance is the same Snort that you can download from snort.org. There is no "special Snort". -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- using snort for an IDS/IPS appliance d a (Apr 05)
- <Possible follow-ups>
- using snort for an IDS/IPS appliance d a (Apr 05)
- Re: using snort for an IDS/IPS appliance matan monitz (Apr 05)
- Re: using snort for an IDS/IPS appliance d a (Apr 05)
- Re: using snort for an IDS/IPS appliance Nigel Houghton (Apr 05)
- Re: using snort for an IDS/IPS appliance d a (Apr 06)
- Re: using snort for 10Gbps traffic rate d a (Apr 08)
- Re: using snort for 10Gbps traffic rate Martin Holste (Apr 08)
- SourceFire Appliance 3D9900 capabilities d a (Apr 14)
- Re: SourceFire Appliance 3D9900 capabilities Jason Wallace (Apr 14)
- Re: SourceFire Appliance 3D9900 capabilities Jeff Murphy (Apr 14)
- Re: SourceFire Appliance 3D9900 capabilities Martin Holste (Apr 14)
- Re: using snort for an IDS/IPS appliance matan monitz (Apr 05)
- Re: SourceFire Appliance 3D9900 capabilities Joel Esler (Apr 14)