Re: Handling of a 1 or 2 GB pipe?

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

Travis S. wrote:
> Snort-Users,
>
> I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored 
> traffic would be 2 Gbps.  The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of 
> above 1.5 Gbps.  The most likely implementation will involve mirroring a switch port to receive the data.  The network is 
> over 60 subnets, with 50,000+ hosts.
>
> How well would Snort handle reviewing packets of such a link?  I basically want to pick apart packets and examine a few key bytes 
> to determine the application that is used to send the data.  I'm not sure if it's possible to do this on-the-fly, or if 
> it would be better to log the data and analyze from disk.
>
> Has anyone done similar things?  Any comments on hardware requirements?  Comments overall about the concept?  Operating 
> system suggestions (and version?)?

We diskussed such problems a few weeks ago. IMHO the problem should
be to capture that amount of data. No illusions about realtime-
analyzing so much traffic. You will need to buffer it, at least to
back up the traffic peaks. Btw: No IDS available can probably
provide the performance you need.

I have a small test system at the moment, having two Intel Gbit NICs.
I will do some tests in the next few weeks. For now, my expereience
is, that what Marty is saying in the docs is pretty realistic: up
to ~80Mbit/s can be analyzed real time (with optimized settings,
of course).

I installed the ring-buffer-patched libpcap and started capturing
with tcpdump to a named pipe (or FIFO). "On the other side" I let
Snort analyzing the traffic and hey, it worked - I had no dropped
packets (Thx. Erek ;) ). Even power-scanning in the insane mode with
nmap caused no capturing problems. I will soon (try to) write an
Nessus-plugin providing an attack combined with a packet storm.

So I will soon do some tests with the Gbit NICS. That is to become
very exiting, since it should theoretically overload the PCI-bus of
my 32bit platform. But I have two Xeon machines laying around too ;)

According to some whitepapers, you can capture with libpcap up to
800Mbit/s. I'll try to test that.

So the solution may be to set up a few boxes - for every subnet and
direction one, or similar (~1GB RAM 64-bit platform, SCSI) and try to
disburden Snort/tcpdump as much you can. Decide if you really want to
analyze the outbond traffic. Define your capturing filters ($HOME_NET,
servers, ports) - capture only the stuff you really want to look at.
Than it may work for you and you have a solution the money can't buy.

Hope that helps...

Best regards,

Edin_

> Thanks,
> Travis S.

--
Edin Dizdarevic



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users