Re: Snort as Gigabit Sensor

[twig les <twigles () yahoo com>]

We are doing something similar.  6509 with a gig card (fiber
3com) doing more than 14Mb without a problem.  The box we are
using isn't even that big: 2 PIII 1GHz CPUs, 1 gig old sdram.  2
things we chose specifically that may help us are: 1. we use a
66MHz, 64-bit PCI slot instead of a normal 33MHz one, 2. we have
dual scsi controllers - one hard drive for the OS, one for the
data.  We also use FreeBSD, which I can't prove is faster than
RH but I have to say that we use it because that is a
significant difference between our setups.  No OS wars in my
name.

So I guess I'm dodging the RH9 tuning question but you may have
a bottleneck in the hardware.  Also if you can't even get 14Mb
of traffic without loss I'd check the cabling, switch interface,
NIC driver, etc. too, that is just a really low number.

--- Banniza Robert <Robert.Banniza () HCAhealthcare com> wrote:
> Anyone have any good pointers on tuning Linux (Redhat 9) as a
> gigabit
> sensor? Currently, we are using a Broadcom Corporation
> NetXtreme BCM5703
> Gigabit Ethernet (TG3 kernel module) Netgear card as the
> sniffing card. We
> have set up a span port so that we can see all traffic on a
> Cisco 6509. The
> sad thing is we are encountering 40% packet loss. The network
> interfaces
> were statically compiled into the kernel and /etc/sysctl.conf
> was modified
> with the following to provide larger buffers:
>
> # increase Linux TCP buffer limits
> net.core.rmem_max = 8388608
> net.core.wmem_max = 8388608
> net.core.rmem_default = 65536
> net.core.wmem_default = 65536
>
> # increase Linux autotuning TCP buffer limits
> net.ipv4.tcp_rmem = 4096 87380 8388608 
> net.ipv4.tcp_wmem = 4096 65536 8388608 
> net.ipv4.tcp_mem = 8388608 8388608 8388608
>
> # flush window size
> net.ipv4.route.flush=1
> net.core.netdev_max_backlog=2500
>
> We have not performed any rule tuning yet and the current
> sustained
> throughput we have seen through this connection is around 
> 14Mb which is
> nowhere close to gigabit speeds. Any ideas?
>
> Thanks
> Robert
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites
> including
> Data Reports, E-commerce, Portals, and Forums are available
> now.
> Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users