RE: [Snort-users] Snort and high performance networks
This is a discussion on RE: [Snort-users] Snort and high performance networks within the Snort forums, part of the System Security and Security Related category; Hi, Ive snipped out some of the recent posts to this thread. Weve been doing extensive research into snort speeds ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-21-2004
|
|||
|
|||
RE: [Snort-users] Snort and high performance networks
Hi,
Ive snipped out some of the recent posts to this thread. Weve been doing extensive research into snort speeds at my University and to me it seems like these 2 posts are completely innaccurate and absurb. Chad claims to capture all traffic with all rules and preprocessors with a $2500 piece of hardware, while if you buy a $50,000 solution from Sourcefire(home of the creator of snort) you can only get 1 Gig and they disable rules and preprocessors (http://osec.neohapsis.com/results/ni...oductinfo.html). And then when Chris asked you your specs on your box you differ him to TopLayer. Even getting 800 Mb/s as Rafael said is not impossible but really is not feasible without hardcore kernel modifcation and maybe even silicon chips and ASIC cards. Would either of you like to share how your able to do this, I mean the technologies and hardware you using? Also how do you verify these results? -- UoC -- -- snip Rafael Ortega-- >I'm currently snorting close to 800Mbps with no problem. What to do with >the amount of info, is another story. I tried ACID, but after 24 hours and >700,000 events registered, the data base becomes too slow, even after >indexing certain reference fields. -- end snip -- -- snip Kreimendahl, Chad -- >FWIW... I've got systems that are easily handling between 3-4Gbps each. >That's partially hardware, partially OS, and a little tiny config work. >Very near to all rules enabled on these interfaces, as well as all of >the preprocessors (minus the broken ones), and a database output plugin. > >0 dropped packets. If you check the archives for this list, you'll >find discussions about kernels that can do polling against network >devices, and how this enhances snort performance on high speed links >(network performance in general, really). I believe I mention the OSes, >maybe some config info and hardware used. -- end snip -- __________________________________________________ _______________ FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/...ave/direct/01/ ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
