RE: Snort on a Gigabit Bandwidth

["TRIBUT Mickael OF/DTRS" <mickael.tribut () orangefrance com>]

Thanks for all, 

I think i can now make a test with a good idea of the system and hardware to use :))))

-----Message d'origine-----
De : snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]De la part de Erik
Fichtner
Envoyé : lundi 16 août 2004 17:37
À : TRIBUT Mickael OF/DTRS
Cc : snort-users () lists sourceforge net
Objet : Re: [Snort-users] Snort on a Gigabit Bandwidth


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


... why isn't this in the FAQ?   



On Mon, Aug 16, 2004 at 04:28:21PM +0200, TRIBUT Mickael OF/DTRS wrote:
> I want to configure a snort sond on a gigabit bandwidth and I know that snort only support 100 mb
>
> What could i do ???
>
> Indeed Libpcap librairy doesn't support gigabit, however i know that a patch for this kind if librairy exists !


Pick your poison:

http://public.lanl.gov/cpw/
 -or-
http://www.ntop.org/PF_RING.html


> I also need an example of typical hardware pc for this sort of configuration !!

There isn't a typical config.  You'll need to examine your hardware options
in great detail.  

        You need the best PCI-X backplane bandwidth you can get (go after 
server motherboards, not desktop.  66MHz PCI is only good to 400MBit/sec.
You're going to need 133MHz PCI-X).

        You need as much memory as you can stand to hold your MMAP working 
set as well as good memory performance (Xeon boxes are pretty good at this, 
I don't know about the AMD offerings.).

        You need great low-latency server network adapter(s) (133MHz PCI-X).

And keep in mind that your capture options will limit you further.  Taps
require multiple NICs or some kind of aggregation system and span/mirror ports
sometimes arn't quite up to the task of a full gig of duplicated traffic. 
Low end switches often don't have much more than a couple gig of internal BW
already.

Another thing to keep in mind is that many loadbalancers can split streams
to multiple sensors so you arn't required to have one system tuned to 
theoretical maximum performance.    If you really have a gigabit IDS 
requirement, you can probably justify two or three smaller systems that can
each soak up a few hundreds of megabits/sec each.

Good luck on your quest for 62.5MBytes/sec. 

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFBINSiQ7EzrewLMS0RArsUAKC+lvQ4238kpECgC3PBQdu9c5bZVACdHbec
8BSPexUb9cFx7aav0KRN78c=
=dvs1
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users