Snort mailing list archives

RE: Snort in a cluster

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 9 Jul 2004 09:45:18 -0500

I'm glad to hear someone else is doing this.  I was at a conference and
talking with the Sourcefire tech guy, and when I mentioned that we were
doing this, he looked at me as if I'd just stepped off a spaceship.
Even after I'd explained what we were doing (i.e. better performance of
any any -> any any rules, stripping out sections of aggregated taps,
etc.), he still didn't seem to grasp that someone would want to do this.
<shakes head>

It does work quite well, though.  I've got three individual boxes that
are each monitoring 80-90 mbps sustained, the traffic coming from 40 or
50 ethernet taps.  Much cheaper than buying one computer for each tap or
mucking about with multiple interfaces in a single box. 

Jon

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael
Stone
Sent: Friday, July 09, 2004 9:24 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort in a cluster

On Fri, Jul 09, 2004 at 02:01:44PM +0100, you wrote:

If you need more power for snort than a single CPU can provide, you 
probably want to be looking at having multiple sensors and a IDS 
load-balancing solution (e.g. Radware or Top Layer).


Or you can adjust the pcap filter so snort sees less traffic. I've had
good success running multiple snorts on one system where each sees part
of the traffic and together they can keep up with a faster link than a
single process trying to watch everything.

Mike Stone


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital
self defense, top technical experts, no vendor pitches, unmatched
networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort in a cluster Luis Claudio Rodrigues da Silveira (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
  - Re: Snort in a cluster Michael Stone (Jul 09)
    - Message not available
    - Re: Snort in a cluster Michael Stone (Jul 12)
    - Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 15)
- Re: Snort in a cluster Brian (Jul 09)
- Re: Snort in a cluster Rodrigo Ramos (Jul 09)
- <Possible follow-ups>
- RE: Snort in a cluster Williams Jon (Jul 09)
  - Re: Snort in a cluster Jason (Jul 09)
- RE: Snort in a cluster Joshua Berry (Jul 09)
  - Re: Snort in a cluster Jason (Jul 09)
  - Re: Snort in a cluster Michael Stone (Jul 09)