Snort mailing list archives
RE: Snort as Gigabit Sensor
From: "Donofrio, Lewis" <donofrio () umich edu>
Date: Tue, 29 Jul 2003 12:57:59 -0400
For more horsepower you might want to retest on the Mac OS X G5 coming out in August, and a bigger bus....just a thought. ______________________________________________________________________ Lewis Donofrio () umich edu College of Literature, Science, & Arts 1007 East Huron, Room 201, BetaID:243340 Cell: (734) 323-8776 Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax: (734) 647-8333 -----Original Message----- From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com] Sent: Tuesday, July 29, 2003 12:38 PM To: Bennett Todd; Banniza Robert Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort as Gigabit Sensor As a beta test I set up an intel machine running FreeBSD 5.x with several interfaces. Specs are PIII 2GHz 512MB. With polling compiled into the kernel I did some eyeball tests: This is all pushing @500Mbps of a large capture. Now, unfortunately for freebsd polling is not dynamic, it's on or off. So this test was done having one window open monitoring interrupts, one watching iostat and one to set/unset the flag for polling. With polling OFF: system went into live-lock took a while to recover was using 97% kernel time (interrupts) With polling ON: system ran like a beautiful dream didn't appear as if anything was going on with the system was using 3% kernel time (polling interrupts) snort was taking about 40% cpu with everything turned on didn't check memory usage (didn't care) Unfortunately for FreeBSD and Linux and Solaris, interrupts don't spread across SMP. So doubling your processor doesn't get you twice the bandwidth/interrupt handling. Though, if you're wanting to push massive gigabits, it would work well to always have a that extra CPU for snort. The limitation above Gig is indeed the PCI Bus. 64bit bus doubles this limitation (approx 2.5Gbps?). There is a solution for the PCI bus... And that's built in networking chipsets: http://www.sun.com/servers/entry/v240/datasheet.pdf http://www.sun.com/servers/entry/v210/datasheet.pdf In theory you could push 4Gbps to the built-in. 4Gbps to the 66MHz PCI and 2Gbps to the 33MHz PCI. With polling on, the system could watch 10 Gbps without a problem (Hope I get to test this theory). You're only downside would be analyzing all this data... ... This leads me to... What about a threading snort. I know this was going on a while back but taken out... Why? -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Thursday, July 24, 2003 2:37 PM To: Banniza Robert Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Snort as Gigabit Sensor 2003-07-24T14:43:39 Banniza Robert:
Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit sensor?
Not this year. Expect to hit a flat out impenetrable wall at c. 300Mbps for a PCI-bus NIC, possibly as much as 550-600 for PCIx. These limits seem to show up consistently, I've heard 'em from a lot of different souces. To approach those speeds you should - run on unnumbered interface in promisc --- you don't want the OS's IP stack analyzing the traffic (hence TCP tuning won't help) - use snort 2 - give it plenty of ram (512MB is a good idea, cheap as ram is go ahead and give it a GB for future-proofing) - get the ring-buffered libpcap for Linux - go through the preprocessors, seeing which ones you can do without - tune the config --- this is not optional if you want to hit multiple-hundred-mbps performance realms. Dial out false positives, get the alarm-generation rate down to something reasonable. Adjust the *_NET, *_SERVERS, *_PORTS tuning vars in snort.conf. #-out rules files you're not actively interested in. Examine the individual rules in the files you're including and eliminate any that don't apply to platforms you use. Once you've gone down that road, a modern hot box ought to be able to snort at bus speed limit (c. 300/550 Mbps as mentioned above). Next year's hot box with a faster interface to the NIC may well be able to do an honest Gbps. Maybe. I'll believe it when I see it:-). -Bennett ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort as Gigabit Sensor, (continued)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Phil Wood (Jul 31)