Re: binary logging on a 1Gbps network using a copper tap

[Richard Bejtlich <taosecurity () gmail com>]

Ben van der Merwe wrote:

> I have a two part question
> 1) What bottlenecks are encountered when doing binary logging on a 1Gbps
> network. How can these be solved. I have used snort successfully for
> binary logging (using a 10 Mbps hub in a 1 Gbps switched environment and
> logging the traffic from a single target machine), but I want to scale
> the solution to 1Gbps. I do not employ any snort rules - I want to log
> everything.

> 2) When I construct my own copper tap according to
> http://www.snort.org/docs/tap/ and using Category 5e cable, it will only
> support up to 100 Mbps (?). Can the same diagram be used to construct a
> 1Gbps tap ? I guess I can use 10 100Mbps taps on 10 100 Mbps switched
> ports, but I am looking for a more elegant (and cheaper) solution.
> There is a also very nice 'single stream' tap available at
> http://www.securicore.ca/critical_taps/singlestream1000/. Has anybody
> tried this out? How many snort sensors will be required?

Ben,

If you are logging Gigabit traffic, you need lots of RAM (1-2 GB at
least), a fast CPU (PIV 800 MHz FSB), fast disks (SCSI), a fast PCI-X
bus, quality NICs (Intel), and an OS built for speed (FreeBSD with
device polling enabled).

If you are logging everything, why use Snort?  Consider Tcpdump as an
alternative.

I would avoid constructing your own "tap," especially for Gigabit. 
1000Base-T uses all four twisted wire-pairs to transmit data in both
directions simultaneously.  I believe this would adversely affect the
home-made tap you mention.

About the Securicore tap: I've exchanged email with their engineers.  I asked:

"I wonder how you handle aggregating the TX lines from two Gigabit
feeds into a single Gigabit output.  Gigabit Ethernet is inherently
full duplex, so you have the potential of aggregating two 1000 Mbps
lines to a single 1000 Mbps output.  You are ok if the total
aggregated bandwidth used by each TX line never exceeds 1000 Mbps, but
what do you do when the aggregated bandwidth does exceed 1000 Mbps?"

They replied:

"You are absolutely correct regarding being careful ---> so the
aggregate bandwidth does not exceed 1000mbps. To handle momentary
spikes all aggregate taps have a built in memory buffer, however they
are not designed to be implemented in a link where the sustained
aggregate traffic exceeds  1000mbps."

In other words, don't use this product where you expect the aggregate
bandwidth to frequently exceed 1000 Mbps.  Otherwise it's a cool
device.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users