Snort mailing list archives
Re: Super Fast Snort Considerations
From: Jaime Nebrera <jnebrera () redborder org>
Date: Mon, 31 Aug 2015 10:00:40 +0200
Hi Charles, it seems you are mixing a bit.To have a sensor capable of holding 100Gbps in Snort you need some serious stuff, sepcialized hardware, I guess hardware offloading, etc etc
But you also name BY2. This is a different ball game. To be able to manage the events produced by such amount of traffic (in this case combining multiple probes) you will need also some serious beef, but the are alternatives there too, both based on SQL and Big Data
El 30/08/15 a las 18:32, Joel Esler (jesler) escribió:
To do 100 Gb/s, you'd need specialized hardware and flow-pinning to divide the traffic amongst several different copies of Snort. Our firePOWER devices achieve these speeds, but with a lot of specialized code.-- *Joel Esler* Manager, Threat Intelligence and Open Source Talos Group Sent from my iPhoneOn Aug 30, 2015, at 10:41 AM, Davison, Charles Robert <cdaviso1 () vols utk edu <mailto:cdaviso1 () vols utk edu>> wrote:Good Morning,I was wondering what everyone is using in production for processing snort data at high throughput. We will need to process up to 100Gb/s. I had considered using Packet Pig but don’t know if it’s still viable, the neat thing about it was that it leveraged Hadoop? We ran into performance issues with Snorby and I’m leaning towards just a basic snort install forwarding alerts to our syslog server to be processed by our SEIM tool… any suggestions? If we used By2 I’m not sure it could handle the data. Hardware/Architecture design specifications would be much appreciated.------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing listSnort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Super Fast Snort Considerations Davison, Charles Robert (Aug 30)
- Re: Super Fast Snort Considerations Joel Esler (jesler) (Aug 30)
- Re: Super Fast Snort Considerations Jaime Nebrera (Aug 31)
- Re: Super Fast Snort Considerations Davison, Charles Robert (Aug 31)
- Re: Super Fast Snort Considerations Joel Esler (jesler) (Aug 31)
- Re: Super Fast Snort Considerations Jaime Nebrera (Aug 31)
- Re: Super Fast Snort Considerations Joel Esler (jesler) (Aug 30)