Snort mailing list archives
Re: Handling of a 1 or 2 GB pipe?
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 31 Jan 2003 14:00:13 +0100
Hi, Travis S. wrote:
Snort-Users, I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored traffic would be 2 Gbps. The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of above 1.5 Gbps. The most likely implementation will involve mirroring a switch port to receive the data. The network is over 60 subnets, with 50,000+ hosts. How well would Snort handle reviewing packets of such a link? I basically want to pick apart packets and examine a few key bytes to determine the application that is used to send the data. I'm not sure if it's possible to do this on-the-fly, or if it would be better to log the data and analyze from disk. Has anyone done similar things? Any comments on hardware requirements? Comments overall about the concept? Operating system suggestions (and version?)?
We diskussed such problems a few weeks ago. IMHO the problem should be to capture that amount of data. No illusions about realtime- analyzing so much traffic. You will need to buffer it, at least to back up the traffic peaks. Btw: No IDS available can probably provide the performance you need. I have a small test system at the moment, having two Intel Gbit NICs. I will do some tests in the next few weeks. For now, my expereience is, that what Marty is saying in the docs is pretty realistic: up to ~80Mbit/s can be analyzed real time (with optimized settings, of course). I installed the ring-buffer-patched libpcap and started capturing with tcpdump to a named pipe (or FIFO). "On the other side" I let Snort analyzing the traffic and hey, it worked - I had no dropped packets (Thx. Erek ;) ). Even power-scanning in the insane mode with nmap caused no capturing problems. I will soon (try to) write an Nessus-plugin providing an attack combined with a packet storm. So I will soon do some tests with the Gbit NICS. That is to become very exiting, since it should theoretically overload the PCI-bus of my 32bit platform. But I have two Xeon machines laying around too ;) According to some whitepapers, you can capture with libpcap up to 800Mbit/s. I'll try to test that. So the solution may be to set up a few boxes - for every subnet and direction one, or similar (~1GB RAM 64-bit platform, SCSI) and try to disburden Snort/tcpdump as much you can. Decide if you really want to analyze the outbond traffic. Define your capturing filters ($HOME_NET, servers, ports) - capture only the stuff you really want to look at. Than it may work for you and you have a solution the money can't buy. Hope that helps... Best regards, Edin_
Thanks, Travis S.
-- Edin Dizdarevic ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Handling of a 1 or 2 GB pipe? Travis S. (Jan 30)
- Re: Handling of a 1 or 2 GB pipe? twig les (Jan 30)
- Re: Handling of a 1 or 2 GB pipe? Edin Dizdarevic (Jan 31)
- Re: Handling of a 1 or 2 GB pipe? Yaakov Yehudi (Feb 04)
- Re: Handling of a 1 or 2 GB pipe? Erek Adams (Jan 31)
- Re: Handling of a 1 or 2 GB pipe? Bennett Todd (Feb 01)
- <Possible follow-ups>
- RE: Handling of a 1 or 2 GB pipe? Scott, Joshua (Jan 30)
- RE: Handling of a 1 or 2 GB pipe? Morgan R. Elmore (Jan 31)
- RE: Handling of a 1 or 2 GB pipe? Ricardo, Gerson (Jan 31)