Re: making snort go fast

["David Williams" <dwilliamsd () gmail com>]

Yeah, I'm spiking at over 7G, average run rate during prime hours of 1
to 2G, capability in times of crisis up to 10G.  Detection mode, not
inline. Inline may/will happen (depending on who you ask), but only
with a limited ruleset that we generate internally.  So, my question
returns.... anybody ever tested any of the platforms below?

On Thu, Feb 14, 2008 at 7:02 PM, Moses Hernandez
<moses () networksamurai org> wrote:
> I am catching this a bit late but let m chime in here. Exactly what I the
> question. Do you want to do inline prevention or out of band detection at
> 10g?
>
> The reason I ask is because unless you can prove with netflow that you need
> 10gb most people do not. In addition you may do further analysis and find
> out by although you want 10gb; in reality you may only want to protect and
> detect at a different part of the network that is maybe 2gb not 10.
>
> Lastly, consider what you are asking the device to do. Ips and ids
> performance may degenerate based on several factors.
>
> 1 - how many preprocessors are you running through
> 2 - do you need to run through all those preprocessors?
> 3 - do you have necessary and unnecessary ( or wasteful ) signatures loaded?
>
> Once you have an idea then meassure those factors in life (demo) and
> calculate actual performance before making a decision.
>
>
>
> Moses Hernandez
> Www.networksamurai.org
>
>
> On Feb 14, 2008, at 5:17 PM, JJC <cummingsj () gmail com> wrote:
>
>
> I suggest researching sourcefire a bit further... they are not just another
> vendor like any other... see what their relationship is to snort.  Granted,
> the box is expensive but you often get what you pay for, or for how much
> time you invest in engineering a solution etc...
>
> On Thu, Feb 14, 2008 at 5:05 PM, David Williams <dwilliamsd () gmail com>
> wrote:
> > Yeah, I looked at them and did some checking.  They're commercial 10G
> > solution lists for around $250,000 I think.  I'm looking for something
> > a little lower down the price list.  I just want the performance...
> > not all the other stuff you get when you buy SourceFire.
> >
> >
> >
> >
> > On Thu, Feb 14, 2008 at 4:36 PM, Joel Esler <joel.esler () sourcefire com>
> wrote:
> > > How about...  Sourcefire?  The people who make Snort?
> > >
> > >  They might have a go-fast solution.
> > >
> > >  J
> > >
> > >
> > >
> > >  On Feb 14, 2008, at 4:26 PM, David Williams wrote:
> > >
> > >  > Hello List,
> > >  >
> > >  > I'm trying to get Snort to go very fast.  Has anybody evaluated any
> of
> > >  > these solutions below.  I know these vendors are claiming multi-gig
> > >  > Snort, but I'm skeptical of vendor claims (obviously).
> > >  >
> > >  > - Endace's Ninja appliance (they claim 10G, but the webcast seemed to
> > >  > contradict this claim by stating just under 2G)
> > >  >
> > >  > - Netronome Systems Open Appliance (claiming 6-8G)
> > >  >
> > >  > - Bivio Networks B7000 (claiming 10G)
> > >  >
> > >  > Anybody else I'm missing from the list of vendors claiming to make
> > >  > Snort go fast?
> > >  >
> > >  > thanks,
> > >  >
> > >  > Dave
> > >  >
> > >
> > >
> > > >
> -------------------------------------------------------------------------
> > >  > This SF.net email is sponsored by: Microsoft
> > >  > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > >  > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > >  > _______________________________________________
> > >  > Snort-users mailing list
> > >  > Snort-users () lists sourceforge net
> > >  > Go to this URL to change user options or unsubscribe:
> > >  > https://lists.sourceforge.net/lists/listinfo/snort-users
> > >  > Snort-users list archive:
> > >  > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >  >
> > >
> > >
> > >  --
> > >  Joel Esler  joel.esler () sourcefire com
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users