Snort mailing list archives
RE: Snort as Gigabit Sensor
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Fri, 25 Jul 2003 10:54:47 -0500
Sometimes need to load balance is based on hardware available.. Unfortunately it's greatly more expensive to buy a load balancer [ see: http://www.toplayer.com/ and http://www.radware.com/ ], than it is to simply buy a system capable of handling the gigabit load. If a system is configured properly, and the drivers for the network device are configured for polling, gigabit shouldn't be a problem for a system costing less than $3k. Where the need for load balancing comes in, mostly for corps, is when you have redundant or HA networks. For example: If you have highly available web servers, each being connected to 2+ switches, and if those web servers either fail over or do some sort of trunking or load balancing, you're not always going to be able to reassemble streams properly, as the data my be split out across multiple potential sensors. In our dev environment we've been beta testing some of these load balancers and have found some pretty sweet arze uses for them. Using them to bring streams separated across devices is wonderful. Most of these devices will allow you to take all of your input and split it out based on a set of rules, whether it be IP, port or physical separation. This helps greatly in separation of duties for snorts, such as pushing all web traffic to one sensor, allowing preprocessors like rpc_decode and the like to be turned off... and vice versa for turning of the http decode stuff for those not getting port 80 data. Or what about sending all UDP to one sensor and turning off all non UDP rules. This is great when you have a highly controlled env... and if you have no need for portscan2, since these types of setups can miss scans. As for gig capabilities: Generally speaking, for less than most companies charge for sensors, you could easily build one that would handle gigabit, but you must have NIC drivers that do polling and an OS that supports it (FreeBSD 4.5+,5; Solaris 8,9; etc..). For load balancing: Many people in the corporate world have need for load balancing, but their reason isn't a 3-500Mbps limit... it's often the 1Gbps limit and/or an HA-redundant network setup. -----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Thursday, July 24, 2003 7:06 PM To: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Snort as Gigabit Sensor Jeff wrote:
Some other posts to this thread talk about getting the max performance out of a single system, up to 300-500Mbps. To get a full Gig (well 700Mbps or so anyway) of IDS traffic you'll need to load balance a server farm. Check out the Nortel Alteon Web Switches which have IDS
Can I just ask a naive question? Needing to load balance is only due to the sites requiring PCI-based IDS isn't it? I mean, there are Gb IDS out there - they wouldn't need load balancers would they? Pretty scary: Gb Ethernet isn't exactly cutting edge these days - being required to go over to load balancers must really change the budget requirements... [so sayeth the lucky 100M-max Snort user ;-)] -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 26)
- DCOM exploit snort signature jason (Jul 27)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Snort in Linux kernel mode Paul B. Poh (Aug 05)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Phil Wood (Jul 31)