Snort mailing list archives
Re: snort and bonding
From: Bennett Todd <bet () rahul net>
Date: Fri, 7 Mar 2003 15:56:52 -0500
2003-03-07T12:38:23 Patrice Boulanger:
Does anyone have already used snort with network interface bonding?
All the time, works like a champ. Only one caveat: the Linux bonding driver does not propogate mode settings like promiscuous down from the bond0 driver to the enslaved ethN drivers; the settings are only propogated down at ifenslave time. So if you do this: ifconfig bond0 up ifconfig eth1 up ifenslave bond0 eth1 ifconfig eth2 up ifenslave bond0 eth2 snort -i bond0 ... snort will set bond0 to promisc, but bond0 won't propogate it down to eth1 and eth2, so you won't actually get promiscuous sniffing. If you make that first ifconfig ifconfig bond0 promisc up then when the ifenslaves run, they'll propogate the promisc down to the underlying eth1 and eth2. One participant on the bonding developers mailing list is working on a fix for this; however, another participant is arguing against it, preferring the current behavior. The workaround for this isn't to onerous, so I'm not sweating it:-).
Is it easy to use such an interface to be able to listen more traffic (for example by using 4 interfaces to listen up to 400Mbits of traffic) ?
It's easy to use such an interface to listen to multiple interfaces --- e.g., aggregating the traffic from the two directions that's pulled out by a network tap. It's not easy to sniff faster than 100Mbps. If it were easy, it would be easy with the bonding driver; that driver is easy to use. But to sniff faster than 100Mbps you need to do quite a few things. You need to get the patched ringbuffer libpcap. You need to disable expensive parts of snort. You need to disable signatures you aren't interested in. You need to tune the remainder so they're only checked for traffic directed at specific hosts where you're interested in those sigs; for starters, you need to set all the *_NET, *_SERVERS, and *_PORTS vars in snort.conf very precisely and tightly, #-out the includes of any rules files you're not urgently intererested in, and #-out every last individual sid you're not specifically concerned about. Starting with that sort of tuning, plenty of memory (512MB or more is great), and a good fast CPU (at least 1GHz PIII or better) you ought to be able to handle well over 100Mbps. Without that tuning, with the stock snort as shipped config, expect to max out somewhere more like 50Mbps. No matter how hard you tune, there's a wall you'll hit somewhere between 250 and 300Mbps on a PCI bus, you simply cannot haul the packets out of the NIC faster. PCIx will kick that up to 500-600Mbps. No, it's not easy to listen to 400Mbps of traffic, but the reason has nothing to do with the bonding driver:-). -Bennett
Attachment:
_bin
Description:
Current thread:
- snort and bonding Patrice Boulanger (Mar 07)
- Re: snort and bonding Bennett Todd (Mar 07)
- Re: snort and bonding Michael Boman (Mar 08)
- <Possible follow-ups>
- RE: snort and bonding Scott Williams (Network) (Mar 18)