logging traffic volume (was Re: Bandwidth measurements and correlations)

[Bennett Todd <bet () rahul net>]

There's really no way to answer the question.

At one extreme, you could have a very carefully tuned server that
succeeds in handling nearly 300Mbps (PCI bus) or even over 500Mbps
(PCIx); if the traffic passing it contains nothing that alerts at
all, then you'll have zero logging traffic required.

At the opposite extreme, if you have a misconfigured snort
positioned so that it sees its own alerts as they are being logged,
and if one of the signatures has the characteristic that it will
match on its own alert, then you can throw snort into a tight loop
continuously spewing alerts as fast as it can, with no additional
incoming traffic needed.

Reality with "interesting" traffic and correctly configured snorts
will likely lie somewhere in between.

But it will still depend on how grungy the traffic is. Are you
sniffing a honeypot, with the highest real-life density of evil
traffic? Or are you sniffing traffic off a back-end lan segment with
nothing but a few well-maintained, carefully administered servers
talking to each other?

And then how well you tune the snort instance; with sufficient
tuning to eliminate common classes of false positives, snort can
generally be tamed; but unless you're prepared to invest a lot of
engineering effort crafting fine-tuning, you may end up with enough
of the includes and the sids #-ed out that the resulting snort is
half-blind.

I hate to do this to you, but the only useful working answer to your
question has to be "try it and see". Fortunately, it's cheap to do
so.

-Bennett

Attachment: _bin
Description: