Snort mailing list archives

Re: Gigabit snort?

From: Jeff Nathan <jeff () snort org>
Date: Wed, 17 Apr 2002 14:48:37 -0700

Michael Cunningham wrote:


Folks,

My company currently has 3x 45 mbit links to the net
that I would like to monitor with snort. We plan on
getting an OC12 soon. Is anyone running snort to
monitor this level of traffic?  We easily max out our
3x 45 mbit links during peak times. I would like to
place sensors inside and outside my firewalls in order
to correlate results. Can a high end x86 Linux system handle
this level of traffic? I was planning on centrally logging
everything to a mySQL database for analysis (I am planning
5 other sensors on my internal LAN as well). Is anyone else running
a high end snort setup? I would love to get some constructive
advice on a setup this size. What gigabit cards are you
using? What fiber taps? Server hardware? etc..

Thanks.. Mike


Hi Mike,

I thought I'd take pity on those in this situation.

With a relatively beefy box you might be able to handle all three 45mb
links with one sensor and a Gigabit Ethernet card.  

Planning for the future, you'll probably want to instead use a tap. 
Both Shomiti (Finisar) and Netoptics fiber taps work fine - though
Finisar seems a bit clueless about Shomiti products.  

To connect either the Shomiti or the Netoptics fiber tap to an IDS load
balancer's GBICs you'll need an analyzer "Y" cable (shown at the bottom
of this pdf: http://www.netoptics.com/96042-gig.pdf).  Both Top Layer
and Radware claim to be able to load balance even when the connection is
split between to GBICs (as it will be when coming off the analyzer port
on a tap).

The hardware of course is up to you.  (We can talk offline if you have
further questions.)

I hope this is helpful.

-Jeff


-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Placement of Snort IDS Kenny D (Apr 10)
- <Possible follow-ups>
- RE: Placement of Snort IDS Sheahan, Paul (PCLN-NW) (Apr 10)
  - Gigabit snort? Michael Cunningham (Apr 10)
    - Re: Gigabit snort? Frank Knobbe (Apr 13)
    - Re: Gigabit snort? Jeff Nathan (Apr 17)
- Placement of Snort IDS Kenny D (Apr 14)
  - Re: Placement of Snort IDS Erek Adams (Apr 14)