Snort mailing list archives
logging traffic volume (was Re: Bandwidth measurements and correlations)
From: Bennett Todd <bet () rahul net>
Date: Tue, 11 Mar 2003 09:48:53 -0500
There's really no way to answer the question. At one extreme, you could have a very carefully tuned server that succeeds in handling nearly 300Mbps (PCI bus) or even over 500Mbps (PCIx); if the traffic passing it contains nothing that alerts at all, then you'll have zero logging traffic required. At the opposite extreme, if you have a misconfigured snort positioned so that it sees its own alerts as they are being logged, and if one of the signatures has the characteristic that it will match on its own alert, then you can throw snort into a tight loop continuously spewing alerts as fast as it can, with no additional incoming traffic needed. Reality with "interesting" traffic and correctly configured snorts will likely lie somewhere in between. But it will still depend on how grungy the traffic is. Are you sniffing a honeypot, with the highest real-life density of evil traffic? Or are you sniffing traffic off a back-end lan segment with nothing but a few well-maintained, carefully administered servers talking to each other? And then how well you tune the snort instance; with sufficient tuning to eliminate common classes of false positives, snort can generally be tamed; but unless you're prepared to invest a lot of engineering effort crafting fine-tuning, you may end up with enough of the includes and the sids #-ed out that the resulting snort is half-blind. I hate to do this to you, but the only useful working answer to your question has to be "try it and see". Fortunately, it's cheap to do so. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort problems Adam Kennedy (Mar 06)
- Re: Snort problems Erick Mechler (Mar 06)
- Re: Snort problems Erek Adams (Mar 06)
- Re: Snort problems Adam Kennedy (Mar 07)
- Re: Snort problems Adam Kennedy (Mar 10)
- Re: Snort problems Erek Adams (Mar 10)
- Bandwidth measurements and correlations Gordon Cunningham (Mar 10)
- logging traffic volume (was Re: Bandwidth measurements and correlations) Bennett Todd (Mar 11)
- RE: Bandwidth measurements and correlations Jan van den Berg (Mar 12)
- Re: Snort problems Jeff Nathan (Mar 11)
- Re: Snort problems Adam Kennedy (Mar 11)
- Re: Snort problems SOLVED Adam Kennedy (Mar 11)
- Re: Snort problems Adam Kennedy (Mar 07)