Re: snort and bonding

[Bennett Todd <bet () rahul net>]

2003-03-07T12:38:23 Patrice Boulanger:
> Does anyone have already used snort with network interface
> bonding?

All the time, works like a champ. Only one caveat: the Linux bonding
driver does not propogate mode settings like promiscuous down from
the bond0 driver to the enslaved ethN drivers; the settings are only
propogated down at ifenslave time. So if you do this:

        ifconfig bond0 up
        ifconfig eth1 up
        ifenslave bond0 eth1
        ifconfig eth2 up
        ifenslave bond0 eth2
        snort -i bond0 ...

snort will set bond0 to promisc, but bond0 won't propogate it down
to eth1 and eth2, so you won't actually get promiscuous sniffing.

If you make that first ifconfig

        ifconfig bond0 promisc up

then when the ifenslaves run, they'll propogate the promisc down to
the underlying eth1 and eth2.

One participant on the bonding developers mailing list is working on
a fix for this; however, another participant is arguing against it,
preferring the current behavior. The workaround for this isn't to
onerous, so I'm not sweating it:-).

> Is it easy to use such an interface to be able to listen more
> traffic (for example by using 4 interfaces to listen up to
> 400Mbits of traffic) ?

It's easy to use such an interface to listen to multiple interfaces
--- e.g., aggregating the traffic from the two directions that's
pulled out by a network tap.

It's not easy to sniff faster than 100Mbps. If it were easy, it
would be easy with the bonding driver; that driver is easy to use.
But to sniff faster than 100Mbps you need to do quite a few things.
You need to get the patched ringbuffer libpcap. You need to disable
expensive parts of snort. You need to disable signatures you aren't
interested in. You need to tune the remainder so they're only
checked for traffic directed at specific hosts where you're
interested in those sigs; for starters, you need to set all the
*_NET, *_SERVERS, and *_PORTS vars in snort.conf very precisely and
tightly, #-out the includes of any rules files you're not urgently
intererested in, and #-out every last individual sid you're not
specifically concerned about.

Starting with that sort of tuning, plenty of memory (512MB or more
is great), and a good fast CPU (at least 1GHz PIII or better) you
ought to be able to handle well over 100Mbps. Without that tuning,
with the stock snort as shipped config, expect to max out somewhere
more like 50Mbps.

No matter how hard you tune, there's a wall you'll hit somewhere
between 250 and 300Mbps on a PCI bus, you simply cannot haul the
packets out of the NIC faster.

PCIx will kick that up to 500-600Mbps.

No, it's not easy to listen to 400Mbps of traffic, but the reason
has nothing to do with the bonding driver:-).

-Bennett

Attachment: _bin
Description: