Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gigabit performance

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Fri, 25 Sep 2009 07:26:15 -0500
Quoting Jason Brvenik <jasonb () sourcefire com>:


I'm guessing that it is not possible to do what you are asking. You
should investigate using real hardware designed for the purpose.


I would agree with Jason.  There are special taps, adapters and  
hardware engineered for that purpose.  start here:   
http://netquestcorp.com if you want to build such a box.  We played  
with this kind of tech a few years ago.  It was fun and *very*  
educational for everyone on the project.  Most hardware for this  
purpose will include some kind of packet analysis preprocessor on the  
adapter, plus the number of off the shelf network switches that can  
reliably mirror this level of traffic to the sensor eliminates low and  
mid range commodity network kit.

On the other hand if you want to do something besides hardware  
engineering, take you requirements back to square one and ask, "what  
do I really want to achieve", then try to achieve that.
   Why inline, is it really necessary?
   Why snort 2.8, is it really necessary?
   Why Full  ...  rules, that's usually never necessary

And so on until the list contains achievable goals.




On Thu, Sep 24, 2009 at 10:39 AM, Tomás Heredia
<tomas.heredia () activesec biz> wrote:

Hi all!

   I know this is a many-times asked question, but I can´t find any
conclusive information about this scenario..

I need to  use snort in inline mode, and have to know which hardware
would I need to run:

Snort 2.8.x in inline mode
Full (or almost) rule set, including upt to date VRT rules
No DB (just text alerts)
VMWare ESXi based (single VM on this ESXi)
Dual gigabit ethernet, plus one form management..
And support near Gigabit traffic WITHOUT any packet loss.

Does anybody have experience in a setup like this?

Thanks!

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: