RE: Snort as Gigabit Sensor

["Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>]

I have a couple of items on this:

- I'm using Intel Pro/1000F adapters with great success.  The host it is
running on is a Dual PIII-850 machine w/ 256MB RAM, and sees sustained
traffic in the 50Mbit/s range all day (8-5), with peaks to the 100Mbit/s
range.  I generally run < 1% packet loss, even running spp_portscan and
a fairly complete ruleset.  OS is RH7.3, 2.4.18smp kernel, compiled w/
only what was absolutely necessary.  NIC driver is a loadable module
though (not static).

- Jason points out that Gb Ethernet is common these days, and it is.
However, people needing true Gbit IDS are rarer (though not by any means
nonexistant - I'm sure that there are a number of people on this list
that truly need Gbit IDS).   I can't count the number of times that
people told me "I need a Gigabit Firewall" or "I need a Gigabit ID
sensor", and then I graph traffic for a week and discover that they're
pushing less than 10Mbit average through the connection in question.  In
one case, the group that "HAD to have a Gigabit firewall" was averaging
less than 200 kb/s through their connection.  Just because the fat pipe
is there doesn't mean it's full.  :-)

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar () trimble co nz] 
> Sent: Thursday, July 24, 2003 7:06 PM
> To: 'snort-users () lists sourceforge net'
> Subject: Re: [Snort-users] Snort as Gigabit Sensor
>
>
> Jeff wrote:
>
> > Some other posts to this thread talk about getting the max 
> performance
> > out of a single system, up to 300-500Mbps.  To get a full Gig (well
> > 700Mbps or so anyway) of IDS traffic you'll need to load balance a
> > server farm.  Check out the Nortel Alteon Web Switches which have IDS
>
> Can I just ask a naive question? Needing to load balance is 
> only due to 
> the sites requiring PCI-based IDS isn't it? I mean, there are 
> Gb IDS out 
> there - they wouldn't need load balancers would they?
>
> Pretty scary: Gb Ethernet isn't exactly cutting edge these 
> days - being 
> required to go over to load balancers must really change the budget 
> requirements...
>
> [so sayeth the lucky 100M-max Snort user ;-)]
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
> _072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users