Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Kernel Module

From: Mark Nipper <nipsy () tamu edu>
Date: Mon, 6 Oct 2003 18:29:36 -0500
On 06 Oct 2003, Josh Berry wrote:

Mostly I need the performance improvements this would add.  Where I work
we have some developers, so the cost wouldn't be an issue.  We would like
to run a linux Intrusion Prevention System with
Bridge/Netfilter/Snort-Inline, however, for where we would like to use it,
we are worried that the system would not be able to handle the traffic.  I
been using Bridge/Netfilter/Snort-Inline at home now for some time and
have done some testing, but do not think that it could handle the load we
would need.  If we could get it to perform at a satisfactory level that
would allow us to use an open-source solution rather than pay $20,000 to
$50,000 for a commercial IPS system.


        Out of curiosity, are you using ebtables
(http://ebtables.sourceforge.net/) to do this in the Linux
kernel?  I'm using OpenBSD and Snort currently to do this, but
I'm using Snort passively (not inline) so there is a second or so
of delay and some packets do get through.  I was just wondering
if the ebtables stuff in Linux (netfilter over a bridge) was
actually mostly stable.

        For what it's worth, the biggest issue seems to be how
well the box can hold up based on very small packets per second.
If you can maintain high rates of throughput with very small
packets, then your box should be a success.  Also, gigabit
interfaces tend to perform better under these kinds of loads,
even on 100Mbps connections, so buy some Intel gigabit desktop
adapters and see if it helps.

        What I'd really like to see is a box that works fully at
layer 7 like a Packeteer (http://www.packeteer.com/) but didn't
cost $25k and actually worked under heavy loads (which our
Packeteers seem to have problems doing).

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy () tamu edu
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy () tamu edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"If the fool would persist in his folly he would become wise."
 -- one of the Proverbs of Hell from William Blake's _The
    Marraige of Heaven and Hell_, 1789-1790
----end random quote of the moment----


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: