Snort mailing list archives
Re: binary logging on a 1Gbps network using a copper tap
From: Richard Bejtlich <taosecurity () gmail com>
Date: Wed, 8 Dec 2004 13:54:06 -0500
Ben van der Merwe wrote:
I have a two part question 1) What bottlenecks are encountered when doing binary logging on a 1Gbps network. How can these be solved. I have used snort successfully for binary logging (using a 10 Mbps hub in a 1 Gbps switched environment and logging the traffic from a single target machine), but I want to scale the solution to 1Gbps. I do not employ any snort rules - I want to log everything.
2) When I construct my own copper tap according to http://www.snort.org/docs/tap/ and using Category 5e cable, it will only support up to 100 Mbps (?). Can the same diagram be used to construct a 1Gbps tap ? I guess I can use 10 100Mbps taps on 10 100 Mbps switched ports, but I am looking for a more elegant (and cheaper) solution. There is a also very nice 'single stream' tap available at http://www.securicore.ca/critical_taps/singlestream1000/. Has anybody tried this out? How many snort sensors will be required?
Ben, If you are logging Gigabit traffic, you need lots of RAM (1-2 GB at least), a fast CPU (PIV 800 MHz FSB), fast disks (SCSI), a fast PCI-X bus, quality NICs (Intel), and an OS built for speed (FreeBSD with device polling enabled). If you are logging everything, why use Snort? Consider Tcpdump as an alternative. I would avoid constructing your own "tap," especially for Gigabit. 1000Base-T uses all four twisted wire-pairs to transmit data in both directions simultaneously. I believe this would adversely affect the home-made tap you mention. About the Securicore tap: I've exchanged email with their engineers. I asked: "I wonder how you handle aggregating the TX lines from two Gigabit feeds into a single Gigabit output. Gigabit Ethernet is inherently full duplex, so you have the potential of aggregating two 1000 Mbps lines to a single 1000 Mbps output. You are ok if the total aggregated bandwidth used by each TX line never exceeds 1000 Mbps, but what do you do when the aggregated bandwidth does exceed 1000 Mbps?" They replied: "You are absolutely correct regarding being careful ---> so the aggregate bandwidth does not exceed 1000mbps. To handle momentary spikes all aggregate taps have a built in memory buffer, however they are not designed to be implemented in a link where the sustained aggregate traffic exceeds 1000mbps." In other words, don't use this product where you expect the aggregate bandwidth to frequently exceed 1000 Mbps. Otherwise it's a cool device. Sincerely, Richard http://www.taosecurity.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- binary logging on a 1Gbps network using a copper tap Ben van der Merwe (Dec 08)
- Re: binary logging on a 1Gbps network using a copper tap Don Lord (Dec 08)
- <Possible follow-ups>
- Re: binary logging on a 1Gbps network using a copper tap Richard Bejtlich (Dec 08)