Snort mailing list archives
Re: Snort Kernel Module
From: Mark Nipper <nipsy () tamu edu>
Date: Mon, 6 Oct 2003 18:29:36 -0500
On 06 Oct 2003, Josh Berry wrote:
Mostly I need the performance improvements this would add. Where I work we have some developers, so the cost wouldn't be an issue. We would like to run a linux Intrusion Prevention System with Bridge/Netfilter/Snort-Inline, however, for where we would like to use it, we are worried that the system would not be able to handle the traffic. I been using Bridge/Netfilter/Snort-Inline at home now for some time and have done some testing, but do not think that it could handle the load we would need. If we could get it to perform at a satisfactory level that would allow us to use an open-source solution rather than pay $20,000 to $50,000 for a commercial IPS system.
Out of curiosity, are you using ebtables (http://ebtables.sourceforge.net/) to do this in the Linux kernel? I'm using OpenBSD and Snort currently to do this, but I'm using Snort passively (not inline) so there is a second or so of delay and some packets do get through. I was just wondering if the ebtables stuff in Linux (netfilter over a bridge) was actually mostly stable. For what it's worth, the biggest issue seems to be how well the box can hold up based on very small packets per second. If you can maintain high rates of throughput with very small packets, then your box should be a success. Also, gigabit interfaces tend to perform better under these kinds of loads, even on 100Mbps connections, so buy some Intel gigabit desktop adapters and see if it helps. What I'd really like to see is a box that works fully at layer 7 like a Packeteer (http://www.packeteer.com/) but didn't cost $25k and actually worked under heavy loads (which our Packeteers seem to have problems doing). -- Mark Nipper e-contacts: Computing and Information Services nipsy () tamu edu Texas A&M University http://ops.tamu.edu/nipsy/ College Station, TX 77843-3142 AIM/Yahoo: texasnipsy ICQ: 66971617 (979)575-3193 MSN: nipsy () tamu edu -----BEGIN GEEK CODE BLOCK----- GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E--- W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+ PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**) ------END GEEK CODE BLOCK------ ---begin random quote of the moment--- "If the fool would persist in his folly he would become wise." -- one of the Proverbs of Hell from William Blake's _The Marraige of Heaven and Hell_, 1789-1790 ----end random quote of the moment---- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Kernel Module Josh Berry (Oct 06)
- Message not available
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Mark Nipper (Oct 06)
- Re: Snort Kernel Module Jason Haar (Oct 06)
- Re: Snort Kernel Module pieter claassen (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Message not available
- <Possible follow-ups>
- Re: Snort Kernel Module Ravi Kumar (Oct 06)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)
- Re: Snort Kernel Module pieter claassen (Oct 07)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)