Snort mailing list archives

RE: Snort and high performance networks

From: SN ORT <snort_on_acid () yahoo com>
Date: Fri, 21 May 2004 11:14:17 -0700 (PDT)

Are you guys ACTUALLY running traffic at 800Mbps or
even 2-3 Gbps? I mean what application or server
process that much data on the line? This dood stated
he had an OC-whatever pumping 30Gbps, and Chad asked a
very appropriate question as to how on earth anyone
would Snort that line short of buying a machine with
an OC-3 $$ (CHA-CHING!) interface stuck in it. Most
people would use Sniffer with a WAN interface and
network fiber taps to get "quick snapshots". 

Back to the 3-4Gbps line, you have 10Gbps interfaces
deployed already? How exactly are you seeing 3-4Gbps
traffic, and is it steady and what applications use
that? I mean most switches see that kind of total 
backbone traffic and you can actually use switch-based
IDS (like the one from Cisco)...unless of course you
have a 10Gbps backbone, but to where does that much
traffic travel? 

Cheese!

Marc

--__--__--

Message: 1
From: "Rafael Ortega"
<rafael.ortega () telecarrier com>
To: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Snort and high
performance networks
Date: Fri, 21 May 2004 08:25:47 -0500

Hello, All

I'm currently snorting close to 800Mbps with no
problem.  What to do with
the amount of info, is another story.  I tried ACID,
but after 24 hours and
700,000 events registered, the data base becomes too
slow, even after
indexing certain reference fields.

I've taken to log into syslog in a separate file,
and use snortalog nightly
to generate reports from it.  I still use
Barnyard/ACID, but clean the
database every 24 hours.  I use it mostly to get
quick snapshots of current
events.

I'm waiting for the company's DB people to give me a
hand. Maybe migrate
from Mysql to something more efficient or update the
hardware (Sun Netra T1
with 512MB RAM doing only the DB).

The sniffer is an Intel Xeon 2.4GHz with 1GB RAM
running only snort and
barnyard.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On
Behalf Of
Kreimendahl, Chad J
Sent: jueves, 20 de mayo de 2004 13:12
To: Christopher Rapier
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort and high
performance networks

FWIW... I've got systems that are easily handling
between 3-4Gbps each.
That's partially hardware, partially OS, and a
little tiny config work.
Very near to all rules enabled on these interfaces,
as well as all of
the preprocessors (minus the broken ones), and a
database output plugin.

0 dropped packets.   If you check the archives for
this list, you'll
find discussions about kernels that can do polling
against network
devices, and how this enhances snort performance on
high speed links
(network performance in general, really).  I believe
I mention the OSes,
maybe some config info and hardware used.

If it's of any value, the machine I'm talking about
above (handling

3Gbps) cost around $2500 (not sure if that's

retail).

-----Original Message-----
From: Christopher Rapier [mailto:rapier () psc edu]
Sent: Thursday, May 20, 2004 11:32 AM
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and high
performance networks


On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J
wrote:


Well, I'm sure there is a system out there that

can handle this, but
my

question would be:  How in the world do you expect

to get a 30GBps

connection pumped to unix/win machine?



        
                
__________________________________
Do you Yahoo!?
Yahoo! Domains  Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer 


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort and high performance networks, (continued)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
  - Re: Snort and high performance networks Chris Rapier (May 20)
  - RE: Snort and high performance networks Rafael Ortega (Jun 01)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 20)
- RE: Snort and high performance networks Rafael Ortega (May 21)
  - Re: Snort and high performance networks Jason Haar (May 23)
- RE: Snort and high performance networks snort user (May 21)
  - Re: Snort and high performance networks Christopher Rapier (May 21)
  - RE: Snort and high performance networks Rafael Ortega (May 21)
- Re: Snort and high performance networks snort user (May 21)
- RE: Snort and high performance networks SN ORT (May 21)
- RE: Snort and high performance networks Kreimendahl, Chad J (May 21)
- Re: Snort and high performance networks Aaron (May 24)
  - High Speed Network Cards + rules? Adriel T. Desautels (May 24)
    - Re: High Speed Network Cards + rules? Keith W. McCammon (May 24)
    - Re: High Speed Network Cards + rules? Christopher Rapier (May 24)
    - Re: High Speed Network Cards + rules? Matt Kettler (May 24)
    - Re: High Speed Network Cards + rules? James Riden (May 24)
    - Re: High Speed Network Cards + rules? James Riden (May 25)
    - Re: High Speed Network Cards + rules? Tod Beardsley (May 24)
  - Re: Re: Snort and high performance networks Micha Silver (May 25)

(Thread continues...)