RE: Gigabit NIC's and snort hardware required??

["Zach Forsyth" <Zach.Forsyth () kiandra com>]

Bennet,

That is great information.
Thanks.

Couple of questions.
When I use the command :> snort -vi2, shouldn't that be a very fast
running version of snort?
It is only logging to the dos window I run it in. Is it using any rules
when run in this way?

I was under the impression that if it could not keep up with that
command when I tell it to log or alert to a DB it would be even worse.

So for my 1gb snort box I will look at something like:

P4 Xeon - does Xeon make a big difference? does it matter if it is dual
or not?
512mb or 1gb ddr ram - ram speed help, or just amount?
64bit pci slot
64bit PCI gb nic v- any nics that are preferable, the compaq/hp one is
an intel anyways.
SATA or SCSI raid? Does disk speed make a huge difference?

In order if importance to snort speed:

Tuning
Pci bus and gb card speed
memory
Processor

?? I have no idea really, but would love to hear some opinions.

Thanks for all the help.
I will look into all of the tips you have mentioned already.

Zach



-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net] 
Sent: Thursday, 5 June 2003 23:28 PM
To: Zach Forsyth
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Gigabit NIC's and snort hardware required??


2003-06-05T03:58:24 Zach Forsyth:
> Actually I wanted to ask what hardware I need to successfully run 
> snort 2.x on a Cisco 3508 fibre gigabit switch.

Sounds like you already successfully ran it. As far as I know, if you
could cram enough memory in, and if you could find the required
interface hardware, you could run snort on a 386SX-16 against any NIC.
Problem is, it might not keep up. Could of course, it doesn't take a
fast pig to keep up with an idle net.

> Just using the command :> snort -vi2 from the dos command prompt I am 
> losing between 30%-50% of all packets.
>
> Does this sound right?

Yup, it does indeed, given what you said below (100Mbps likely). Untuned
snort works pretty well on modern PCs up to c. 50Mbps, then it starts
getting important to tune.

> Should I be swapping to linux? No dramas to do that just had a win2k 
> box handy for this afternoon.

I can't comment on the Linux <-vs-> Windows performance question, I
don't know, I've never tried snort on Windows. I believe some people
have claimed particularly good results running on Linux built with the
ring-buffering libpcap.

> Any ideas on what is really needed for snort to cap GB traffic?

For snort to really reliably handle 1Gbps of actual traffic, you need
different hardware. You need either a machine with a bus architecture
capable of delivering that much bandwidth to memory from a NIC (plus a
fairly hot CPU and a load of memory), or else you need to schmear the
load out over multiple systems. A toplayer switch can do the latter. A
standard PCI bus can track up to 300Mbps with sufficient tuning; PCIx
can pump that up around 600Mbps. Faster than that needs something newer
and quicker, or else multiple somethings dispatched from a toplayer.

> Just ballpark for say between 100-200mb/s - I am sure it is not more 
> than this, but could be proved wrong.

Ok, now that you can do.

For seriously highest-performance snort, 512MB may be adequate, but 1GB
might be more comfortable. Think about throwing more memory at this
problem, memory is cheap. Use snort version 2, it's faster than 1.x, but
more memory hungry (the extra memory is directly being used to make it
faster). Then tune snort.

(1) Do basic tuning. Set the *_NET and *_PORTS vars in snort.conf
    appropriately for your network. Make sure you're running snort
    either with -A fast or else with syslog to another machine,
    don't log -A full.  Packet dump with "-b", for libpcap binary
    format. Or, if you're going to be using barnyard, ditch all the
    regular logs and have snort write only the unified binary format
    that barnyard reads.

(2) Do intermediate tuning. Read all of snort.conf, look for things
    you purely don't care about at all. There are a lot of rules
    files that get included, #-out those related to protocols you
    don't use, for which you have no servers that could possibly be
    attacked. If you can spend the time, skim the rules files,
    looking for sigs you really aren't interested in, and # them
    out.

(3) See how many alerts are being generated. Tune to eliminate
    alerts. If snort is generating hundreds or thousands of alerts
    per second, it'll never perform, and the alerts will be useless.
    If you really want a hot little piggie, see if you can get the
    alerts well down below 1/second. Less than 1/minute is even
    better. Some alerts you eliminate by fixing the buggy network
    env that triggered 'em, others you deem "false positives"
    for your environment and disable in the snort config, either
    disabling preprocessor features or #-ing out rules, depending
    on what triggered the alert. In extreme cases you can fine-tune
    using pass rules or using bpf filters.

At this point, with a decent NIC, a hot CPU, and plenty of RAM, your
snort should be happily keeping up with satisfactorily low drop rates at
200Mbps or better.

-Bennett


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users