RE: Handling of a 1 or 2 GB pipe?

["Ricardo, Gerson" <gricardo () gableseng com>]

Whatever you get, please make sure that the machine has a sizable i/o bus - 64bit prefeered!  SUltraSparc systems are 
better than the intel GTL+ bus for sure, but the EV7(6) of the Alpha/AMD processors is very hard to beat.  The machines 
with the fastest I/O bus - it's now between the intel 7505 "Granite Bay" dual channel ddr chipset and the currently 
unavailable AMD ClawHammer MP chipset with it's HyperTransport bus.  133Mhz/64bit PCI-X NIC's are def. a must - they 
allow for 1066MB/sec throughput on the system bus minus the overhead.

hope this helps.


/gjr



-----Original Message-----
From: Morgan R. Elmore [mailto:Morgan () SEEMAC COM]
Sent: Friday, January 31, 2003 8:08 AM
To: 'twig les'; security () starfieldsw com;
snort-users () lists sourceforge net
Subject: RE: [Snort-users] Handling of a 1 or 2 GB pipe?


Good idea, all I could think of was "A BIG BOX"

-----Original Message-----
From: twig les [mailto:twigles () yahoo com] 
Sent: Thursday, January 30, 2003 8:10 PM
To: security () starfieldsw com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Handling of a 1 or 2 GB pipe?


Wow.  The best hardware IMO is Sun, but that kid of
setup will run you a couple hundred grand at least. 
Try Supermicro's page.  They build some mean i386
servers for about 1/10 the price of Sun.  Plus they
use well-known hardware (like Adaptec SCSI
controllers) so using FreeBSD won't likely be a
problem :).  I'm something of a FreeBSD zealot so I
won't even seriously suggest any OS (avoiding penalty
drinks for starting an OS holy war).  Don't forget the
PC Weasel if you require a console port on that i386
box and are willing to cough up $350.

Other than that, I would (and do) run multiple
instances of snort to distribute the signatures. 
Check the docs to divide the sigs up among sets.  This
wasn't an issue in the 1.8.x line but will undoubtedly
be something to consider in 2.x.  Non-local logging
helps of course.

I'm curious as to how you expect to get up to the full theoretical limit
though.  In fact so many factors could bottleneck, yet each seems to be
advancing, that I'm not sure what the slowdown would be anymore (disk I/O,
RAM speed, CPU, PCI/FSB bus, NIC ...).  Although splitting up the 1.5Gbps
across 2 boxes would mean much less strain.


--- "Travis S." <security () starfieldsw com> wrote:
> Snort-Users,
>
> I am considering using Snort to monitor traffic on a
> 1 Gbps internet link, so the combined throughput of
> the monitored traffic would be 2 Gbps.  The average
> load is 1 Gbps (combined) and it wouldn't be
> surprising to see constant levels of above 1.5 Gbps.
>  The most likely implementation will involve
> mirroring a switch port to receive the data.  The
> network is over 60 subnets, with 50,000+ hosts.
>
> How well would Snort handle reviewing packets of
> such a link?  I basically want to pick apart packets
> and examine a few key bytes to determine the
> application that is used to send the data.  I'm not
> sure if it's possible to do this on-the-fly, or if
> it would be better to log the data and analyze from
> disk.
>
> Has anyone done similar things?  Any comments on
> hardware requirements?  Comments overall about the
> concept?  Operating system suggestions (and
> version?)?
>
> Thanks,
> Travis S.
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users