RE: [Snort-users] Snort and high performance networks
This is a discussion on RE: [Snort-users] Snort and high performance networks within the Snort forums, part of the System Security and Security Related category; Are you guys ACTUALLY running traffic at 800Mbps or even 2-3 Gbps? I mean what application or server process ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-21-2004
|
|||
|
|||
RE: [Snort-users] Snort and high performance networks
Are you guys ACTUALLY running traffic at 800Mbps or
even 2-3 Gbps? I mean what application or server process that much data on the line? This dood stated he had an OC-whatever pumping 30Gbps, and Chad asked a very appropriate question as to how on earth anyone would Snort that line short of buying a machine with an OC-3 $$ (CHA-CHING!) interface stuck in it. Most people would use Sniffer with a WAN interface and network fiber taps to get "quick snapshots". Back to the 3-4Gbps line, you have 10Gbps interfaces deployed already? How exactly are you seeing 3-4Gbps traffic, and is it steady and what applications use that? I mean most switches see that kind of total backbone traffic and you can actually use switch-based IDS (like the one from Cisco)...unless of course you have a 10Gbps backbone, but to where does that much traffic travel? Cheese! Marc > --__--__-- > > Message: 1 > From: "Rafael Ortega" > <rafael.ortega@telecarrier.com> > To: <snort-users@lists.sourceforge.net> > Subject: RE: [Snort-users] Snort and high > performance networks > Date: Fri, 21 May 2004 08:25:47 -0500 > > > Hello, All > > I'm currently snorting close to 800Mbps with no > problem. What to do with > the amount of info, is another story. I tried ACID, > but after 24 hours and > 700,000 events registered, the data base becomes too > slow, even after > indexing certain reference fields. > > I've taken to log into syslog in a separate file, > and use snortalog nightly > to generate reports from it. I still use > Barnyard/ACID, but clean the > database every 24 hours. I use it mostly to get > quick snapshots of current > events. > > I'm waiting for the company's DB people to give me a > hand. Maybe migrate > from Mysql to something more efficient or update the > hardware (Sun Netra T1 > with 512MB RAM doing only the DB). > > The sniffer is an Intel Xeon 2.4GHz with 1GB RAM > running only snort and > barnyard. > > > > -----Original Message----- > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net]On > Behalf Of > Kreimendahl, Chad J > Sent: jueves, 20 de mayo de 2004 13:12 > To: Christopher Rapier > Cc: snort-users@lists.sourceforge.net > Subject: RE: [Snort-users] Snort and high > performance networks > > > > FWIW... I've got systems that are easily handling > between 3-4Gbps each. > That's partially hardware, partially OS, and a > little tiny config work. > Very near to all rules enabled on these interfaces, > as well as all of > the preprocessors (minus the broken ones), and a > database output plugin. > > 0 dropped packets. If you check the archives for > this list, you'll > find discussions about kernels that can do polling > against network > devices, and how this enhances snort performance on > high speed links > (network performance in general, really). I believe > I mention the OSes, > maybe some config info and hardware used. > > If it's of any value, the machine I'm talking about > above (handling > >3Gbps) cost around $2500 (not sure if that's > retail). > > -----Original Message----- > From: Christopher Rapier [mailto:rapier@psc.edu] > Sent: Thursday, May 20, 2004 11:32 AM > Cc: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] Snort and high > performance networks > > > On May 20, 2004, at 11:45 AM, Kreimendahl, Chad J > wrote: > > > > > Well, I'm sure there is a system out there that > can handle this, but > my > > question would be: How in the world do you expect > to get a 30GBps > > connection pumped to unix/win machine? __________________________________ Do you Yahoo!? Yahoo! Domains – Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
