Re: [Snort-users] How to setup inline
This is a discussion on Re: [Snort-users] How to setup inline within the Snort forums, part of the System Security and Security Related category; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike, What is your throughput? If you are pushing more than 200M I would ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-10-2006
|
|||
|
|||
Re: [Snort-users] How to setup inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mike, What is your throughput? If you are pushing more than 200M I would say recompile your kernel with pf_ring 3 (which will give you a large ring buffer) and put a large amount of more RAM in there for it -- I'd say 4GB of memory if you can. Here is a snippit regarding some stuff on pf_ring http://www.ntop.org/PF_RING.html - ---------- snip ------------ Who needs PF_RING? Basically everyone who has to handle many packets per second. The term 'many' changes according to the hardware you use for traffic analysis. It can range from 20k pkt/sec on a i486, to 500k pkt/sec on a Pentium IV. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles. Just to give you some figures you can see how fast nProbe, a NetFlow v5/v9 probe, can go using PF_RING. - ---------- snip ------------ - ---------- snip ------------ "I did this test a year ago with 3.0 vs philwood vs vanilla libpcap. And my results were similar. My app has been logging packet capture results for almost a year on sensors capturing traffic in excess of 200 megabits/sec. vanilla libpcap taps out at about 55 megabits/sec. philwood went up to about 80 - 120 megabits/sec depending on the traffic. My goal was less than 5% packet loss - pf_ring 3.0 over the last year on all sensors lost less than .1 % per sensor!" - ---------- snip ------------ Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eric.hines@appliedwatch.com - -------------------------------------------- "Enterprise Open Source Security Management" Mike Montgomery wrote: > What would the hardware requirements be on a system to run inline for > snort? Will be using it at the headend of a WISP, with currently approx > 850 customers. I have a AMD Sempron +1800 with 1gb ram and 2 80gb hdds > setup in Raid0. > Will that be sufficient to handle the load? > > Mike > > Eric Hines wrote: > > Mike, > > Answer 1) Yes, you will want (3) NICs on your box. Pop a new NIC in > there. When you bridge it, you will have br0 for example, which will > comprise a bridge of eth1 and eth2. Make eth0 your management interface > and give it an IP. > > eth0: 192.168.0.1 > eth1: 0.0.0.0 > eth2. 0.0.0.0 > > Answer 2) Snort-Inline uses netfilter, ipqueue, etc for dropping > packets. Their are numerous writeups on how to set this up. > > Answer 3) Specifying which attacks are dropped is done using the drop, > sdrop, etc. keywords in the action of the individual signature. > > > I hope this helps. > > > > Best Regards, > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > > > --------------------------------------------- > > Eric Hines, GCIA, CISSP > CEO, President > Applied Watch Technologies, LLC > 1095 Pingree Road > Suite 213 > Crystal Lake, IL 60014 > Toll Free: (877) 262-7593 ext:327 > Direct: (847) 854-2725 ext:327 > Fax: (847) 854-5106 > Web: http://www.appliedwatch.com > Email: eric.hines@appliedwatch.com > > -------------------------------------------- > > "Enterprise Open Source Security Management" > > > Mike Montgomery wrote: > > >>>> Hello, >>>> >>>> I recently setup a box running snort at our headend, its not inline as >>>> of now, but its using a monitor port on a cisco 2950. What would be the >>>> ideal setup to put the box inline? I currently have 2 nics in this box, >>>> 1 on the monitor port, 2nd is the nic I use to connect to the box for >>>> console. To go inline, would I need 3 nics total, 1 in, 1 out, and set >>>> them to be bridged? Or what. If I wanted snort to drop the packets for >>>> say P2P, would snort do that by itself, or would I need to have a >>>> firewall running to do that. Just trying to make some sense of this. >>>> >>>> Thanks >>>> >>>> Mike Montgomery >>>> Citizens Communications Corp. >>>> /Systems Administrator/ >>>> >>>> >>>> ------------------------------------------------------- >>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting >>>> language >>>> that extends applications into web and mobile media. Attend the live >>>> webcast >>>> and join the prime developer group breaking into this new coding >>>> territory! >>>> http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 >>>> _______________________________________________ >>>> Snort-users mailing list >>>> Snort-users@lists.sourceforge.net >>>> Go to this URL to change user options or unsubscribe: >>>> https://lists.sourceforge.net/lists/...fo/snort-users >>>> Snort-users list archive: >>>> http://www.geocrawler.com/redir-sf.p...st=snort-users >>>> >> >> >> > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEOaoQbOqF2QHgUK0RAsYKAKC0jedVnKI9sw0dis1k8k OuXijFPQCggdZZ qIx603DSLhdUGrGk4NAxdM4= =m7Cm -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
