Snort mailing list archives
Re: Intel X520 and Multi-Queue Snort
From: beenph <beenph () gmail com>
Date: Fri, 13 May 2011 14:49:44 -0400
I honestly still think that a "heartbeat" signature is not a real solution.Not a real solution to what problem? I don't think anyone is positioning heartbeats as a complete solution for monitoring snort performance that is superior in every way when compared to every other possible alternative. It can be a useful data-point, though. It can be especially useful, if as Martin suggests, you observe drops of a large-fraction of heartbeats in spite of monitoring a variety of other metrics that all appear healthy.
When i wrote not a real solution, i was refering to signature heartbeat obviously. And the problem i was refering to was "signature heartbeat being a possible solution to packet drops" <- NOT A SOLUTION. Especially if your "splitting" your traffic. Heartbeats can be implemented different ways, signature heartbeats is an easy implemented solution but it does not really tackle the core of the problem. IMHO.
Heartbeats won't tell you where the problem is or what it is, but an end-to-end test that includes all the infrastructure that snort depends on but can't be aware of could be a great indicator for problems that would otherwise be very difficult to reliably observe.For example, if someone pull's the wire from your monitoring station and plug it back 10 minutes later, the only thing you would know is that mabey you missed one of your heartbeat signature and if your heartbeat signature passed right before that, then you would think everything was all right when it fact you where not monitoring for 10 minutes. It could also be an issue more upstream like your trunk that get's disconnected etc etc. And those wouldn't add up in the "droped packets" since whats not seen is not counted thus is not missed.Snort has lots of other instrumentation that would make the first-case obvious, but the second case could be difficult to detect if you don't have control of the upstream devices feeding snort and heartbeats would help you know that you should be looking for a problem.
Is easy to implement and alot of issue can be diagnosticed with the right instrumentation written into the DAQ library. I have been following the discussion and it seem's to be leaning toward some "defined" assumptions that if you crank crazy hardware and load every possible rule (except some "nosier" ones) its gonna do the job by splitting traffic at a theorical 10gbs. My main question would be if your sniffing outside at the edge of your network, do to sniff inside also? If so what type of sensor deployment do you have on the inside vs what your trying to acheive at your network edge. Do you also enable everything you can inside? Do you and how do you correlate internal and external alerts? -elz ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Intel X520 and Multi-Queue Snort, (continued)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Will Metcalf (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)