Re: Handling of a 1 or 2 GB pipe?

[Yaakov Yehudi <yehudi () tehila gov il>]

I believe that the Snortfire version of Snort, is available in a 
configuration which will handle this about of traffic.

At  Friday  31/01/2003  15:00, Edin Dizdarevic wrote:
> Hi,
>
> Travis S. wrote:
> > Snort-Users,
> > I am considering using Snort to monitor traffic on a 1 Gbps internet 
> > link, so the combined throughput of the monitored traffic would be 2 
> > Gbps.  The average load is 1 Gbps (combined) and it wouldn't be 
> > surprising to see constant levels of above 1.5 Gbps.  The most likely 
> > implementation will involve mirroring a switch port to receive the 
> > data.  The network is over 60 subnets, with 50,000+ hosts.
> > How well would Snort handle reviewing packets of such a link?  I 
> > basically want to pick apart packets and examine a few key bytes to 
> > determine the application that is used to send the data.  I'm not sure if 
> > it's possible to do this on-the-fly, or if it would be better to log the 
> > data and analyze from disk.
> > Has anyone done similar things?  Any comments on hardware 
> > requirements?  Comments overall about the concept?  Operating system 
> > suggestions (and version?)?
>
> We diskussed such problems a few weeks ago. IMHO the problem should
> be to capture that amount of data. No illusions about realtime-
> analyzing so much traffic. You will need to buffer it, at least to
> back up the traffic peaks. Btw: No IDS available can probably
> provide the performance you need.




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users