Snort mailing list archives
Re: Best practices for very high volume install..
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 21 Dec 2010 11:54:16 -0700
That's what I have found as well... snort+barnyard2, and tune the ruleset. Don't use the ET rules (or if you do, tune/prune them aggressively). On my network, I use network taps with two sensors, and run the ET ruleset on the tap that connects my network to the Internet only (bandwidth is considerably lower than on my corporate WAN links-on which I use only the Snort VRT ruleset). I'm not pushing as much data through as you are... I've seen spikes up around 400 Mb/s with no drops though, and this is somewhat older hardware. -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Monday, December 20, 2010 5:02 PM To: Castle, Shane Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Best practices for very high volume install.. Using unified2 and barnyard2 removes the output logging slowdown from Snort. It can go very very fast. Most of the speed can be found in reducing ruleset and tuning. Sent from my iPhone On Dec 20, 2010, at 6:27 PM, "Castle, Shane" <scastle () bouldercounty org> wrote:
Using Barnyard? The claim is that with Barnyard2 a 10G link can be supported. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Wil Schultz [mailto:wschultz () bsdboy com] Sent: Monday, December 20, 2010 14:25 To: snort-users () lists sourceforge net Subject: [Snort-users] Best practices for very high volume install.. Hey there, have a very high traffic install (snort 2.9/barnyard2) that I'm trying to get into a good and usable position. At this point I've got a gig port that's saturated to the box so we're going to do a 2g port-channel here in a bit. So far I've come to the conclusion that mysql binary logging isn't realistic, so it's been turned off. Additionally I've got a script that runs at midnight to purge alerts that are greater than 2 days old. I'm considering putting the database into RAM for a little more speed. Does anyone else have some other best practice type suggestions for a very high traffic box? -wil ------------------------------------------------------------------------ ------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best practices for very high volume install.. Wil Schultz (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Weir, Jason (Dec 21)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Crook, Parker (Dec 21)
- Re: Best practices for very high volume install.. Matthew Jonkman (Dec 21)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)