Snort mailing list archives
RE: Handling of a 1 or 2 GB pipe?
From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Thu, 30 Jan 2003 20:49:06 -0500
Check out this product from TopLayer. http://www.toplayer.com/content/products/intrusion_detection/ids_balancer.js p Their product does IDS load balancing and they support gigabit interfaces.
From reading their website, traffic from your SPAN/Monitor can be replicated
to as many interfaces as you choose. In that scenario, you could have individual sensors in each interface and distribute the signatures among them. It also appears that it supports some type of traffic filtering per interface. That may prevent Snort from dropping packets. I've never used this type of product before so I don't know how well it works. Anyone used their product? Hope this helps! Joshua Scott Security Systems Analyst, CISSP -----Original Message----- From: Travis S. [mailto:security () starfieldsw com] Sent: Thursday, January 30, 2003 4:28 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Handling of a 1 or 2 GB pipe? Snort-Users, I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored traffic would be 2 Gbps. The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of above 1.5 Gbps. The most likely implementation will involve mirroring a switch port to receive the data. The network is over 60 subnets, with 50,000+ hosts. How well would Snort handle reviewing packets of such a link? I basically want to pick apart packets and examine a few key bytes to determine the application that is used to send the data. I'm not sure if it's possible to do this on-the-fly, or if it would be better to log the data and analyze from disk. Has anyone done similar things? Any comments on hardware requirements? Comments overall about the concept? Operating system suggestions (and version?)? Thanks, Travis S. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ============================================================================== NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. ==============================================================================
Current thread:
- Handling of a 1 or 2 GB pipe? Travis S. (Jan 30)
- Re: Handling of a 1 or 2 GB pipe? twig les (Jan 30)
- Re: Handling of a 1 or 2 GB pipe? Edin Dizdarevic (Jan 31)
- Re: Handling of a 1 or 2 GB pipe? Yaakov Yehudi (Feb 04)
- Re: Handling of a 1 or 2 GB pipe? Erek Adams (Jan 31)
- Re: Handling of a 1 or 2 GB pipe? Bennett Todd (Feb 01)
- <Possible follow-ups>
- RE: Handling of a 1 or 2 GB pipe? Scott, Joshua (Jan 30)
- RE: Handling of a 1 or 2 GB pipe? Morgan R. Elmore (Jan 31)
- RE: Handling of a 1 or 2 GB pipe? Ricardo, Gerson (Jan 31)