Snort mailing list archives
Re: Gigabit snort?
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 13 Apr 2002 16:47:36 -0500
On Wed, 2002-04-10 at 16:05, Michael Cunningham wrote:
My company currently has 3x 45 mbit links to the net that I would like to monitor with snort. We plan on getting an OC12 soon. Is anyone running snort to monitor this level of traffic? We easily max out our 3x 45 mbit links during peak times. I would like to place sensors inside and outside my firewalls in order to correlate results. Can a high end x86 Linux system handle this level of traffic? I was planning on centrally logging everything to a mySQL database for analysis (I am planning 5 other sensors on my internal LAN as well). Is anyone else running a high end snort setup? I would love to get some constructive advice on a setup this size. What gigabit cards are you using? What fiber taps? Server hardware? etc..
Use a TopLayer switch to distribute the traffic to multiple IDS. I know Snort one of the fastest IDS' around, but I would still use multiple boxes to avoid an overload. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Placement of Snort IDS Kenny D (Apr 10)
- <Possible follow-ups>
- RE: Placement of Snort IDS Sheahan, Paul (PCLN-NW) (Apr 10)
- Gigabit snort? Michael Cunningham (Apr 10)
- Re: Gigabit snort? Frank Knobbe (Apr 13)
- Re: Gigabit snort? Jeff Nathan (Apr 17)
- Gigabit snort? Michael Cunningham (Apr 10)
- Placement of Snort IDS Kenny D (Apr 14)
- Re: Placement of Snort IDS Erek Adams (Apr 14)