Re: [Snort-users] How to setup inline
This is a discussion on Re: [Snort-users] How to setup inline within the Snort forums, part of the System Security and Security Related category; More then 200Meg? We only have a 15mb fiber connection, we are only averaging 6-7mb throughput, peak at 9mb. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-10-2006
|
|||
|
|||
Re: [Snort-users] How to setup inline
More then 200Meg? We only have a 15mb fiber connection, we are only
averaging 6-7mb throughput, peak at 9mb. Mike Eric Hines wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Mike, > >What is your throughput? If you are pushing more than 200M I would say >recompile your kernel with pf_ring 3 (which will give you a large ring >buffer) and put a large amount of more RAM in there for it -- I'd say >4GB of memory if you can. > >Here is a snippit regarding some stuff on pf_ring >http://www.ntop.org/PF_RING.html > > >- ---------- snip ------------ > >Who needs PF_RING? > >Basically everyone who has to handle many packets per second. The term >'many' changes according to the hardware you use for traffic analysis. >It can range from 20k pkt/sec on a i486, to 500k pkt/sec on a Pentium >IV. PF_RING not only enables you to capture packets faster, it also >captures packets more efficiently preserving CPU cycles. Just to give >you some figures you can see how fast nProbe, a NetFlow v5/v9 probe, can >go using PF_RING. > > >- ---------- snip ------------ > >- ---------- snip ------------ >"I did this test a year ago with 3.0 vs philwood vs vanilla libpcap. And >my results were similar. My app has been logging packet capture results >for almost a year on sensors capturing traffic in excess of 200 >megabits/sec. vanilla libpcap taps out at about 55 megabits/sec. >philwood went up to about 80 - 120 megabits/sec depending on the >traffic. My goal was less than 5% packet loss - pf_ring 3.0 over the >last year on all sensors lost less than .1 % per sensor!" >- ---------- snip ------------ > > >Best Regards, > >Eric Hines, GCIA, CISSP >CEO, President >Applied Watch Technologies, LLC > > >- --------------------------------------------- > >Eric Hines, GCIA, CISSP >CEO, President >Applied Watch Technologies, LLC >1095 Pingree Road >Suite 213 >Crystal Lake, IL 60014 >Toll Free: (877) 262-7593 ext:327 >Direct: (847) 854-2725 ext:327 >Fax: (847) 854-5106 >Web: http://www.appliedwatch.com >Email: eric.hines@appliedwatch.com > >- -------------------------------------------- > >"Enterprise Open Source Security Management" > > >Mike Montgomery wrote: > > >>What would the hardware requirements be on a system to run inline for >>snort? Will be using it at the headend of a WISP, with currently approx >>850 customers. I have a AMD Sempron +1800 with 1gb ram and 2 80gb hdds >>setup in Raid0. >>Will that be sufficient to handle the load? >> >>Mike >> >>Eric Hines wrote: >> >>Mike, >> >>Answer 1) Yes, you will want (3) NICs on your box. Pop a new NIC in >>there. When you bridge it, you will have br0 for example, which will >>comprise a bridge of eth1 and eth2. Make eth0 your management interface >>and give it an IP. >> >>eth0: 192.168.0.1 >>eth1: 0.0.0.0 >>eth2. 0.0.0.0 >> >>Answer 2) Snort-Inline uses netfilter, ipqueue, etc for dropping >>packets. Their are numerous writeups on how to set this up. >> >>Answer 3) Specifying which attacks are dropped is done using the drop, >>sdrop, etc. keywords in the action of the individual signature. >> >> >>I hope this helps. >> >> >> >>Best Regards, >> >>Eric Hines, GCIA, CISSP >>CEO, President >>Applied Watch Technologies, LLC >> >> >>--------------------------------------------- >> >>Eric Hines, GCIA, CISSP >>CEO, President >>Applied Watch Technologies, LLC >>1095 Pingree Road >>Suite 213 >>Crystal Lake, IL 60014 >>Toll Free: (877) 262-7593 ext:327 >>Direct: (847) 854-2725 ext:327 >>Fax: (847) 854-5106 >>Web: http://www.appliedwatch.com >>Email: eric.hines@appliedwatch.com >> >>-------------------------------------------- >> >>"Enterprise Open Source Security Management" >> >> >>Mike Montgomery wrote: >> >> >> >> >>>>>Hello, >>>>> >>>>>I recently setup a box running snort at our headend, its not inline as >>>>>of now, but its using a monitor port on a cisco 2950. What would be the >>>>>ideal setup to put the box inline? I currently have 2 nics in this box, >>>>>1 on the monitor port, 2nd is the nic I use to connect to the box for >>>>>console. To go inline, would I need 3 nics total, 1 in, 1 out, and set >>>>>them to be bridged? Or what. If I wanted snort to drop the packets for >>>>>say P2P, would snort do that by itself, or would I need to have a >>>>>firewall running to do that. Just trying to make some sense of this. >>>>> >>>>>Thanks >>>>> >>>>>Mike Montgomery >>>>>Citizens Communications Corp. >>>>>/Systems Administrator/ >>>>> >>>>> >>>>>------------------------------------------------------- >>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting >>>>>language >>>>>that extends applications into web and mobile media. Attend the live >>>>>webcast >>>>>and join the prime developer group breaking into this new coding >>>>>territory! >>>>>http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 >>>>>_____________________________________________ __ >>>>>Snort-users mailing list >>>>>Snort-users@lists.sourceforge.net >>>>>Go to this URL to change user options or unsubscribe: >>>>>https://lists.sourceforge.net/lists/...fo/snort-users >>>>>Snort-users list archive: >>>>>http://www.geocrawler.com/redir-sf.p...st=snort-users >>>>> >>>>> >>>>> >>> >>> > > > > > > > > >>------------------------------------------------------- >>This SF.Net email is sponsored by xPML, a groundbreaking scripting language >>that extends applications into web and mobile media. Attend the live >>webcast >>and join the prime developer group breaking into this new coding territory! >>http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 >>______________________________________________ _ >>Snort-users mailing list >>Snort-users@lists.sourceforge.net >>Go to this URL to change user options or unsubscribe: >>https://lists.sourceforge.net/lists/...fo/snort-users >>Snort-users list archive: >>http://www.geocrawler.com/redir-sf.p...st=snort-users >> >> >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFEOaoQbOqF2QHgUK0RAsYKAKC0jedVnKI9sw0dis1k8 kOuXijFPQCggdZZ >qIx603DSLhdUGrGk4NAxdM4= >=m7Cm >-----END PGP SIGNATURE----- > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 >_______________________________________________ >Snort-users mailing list >Snort-users@lists.sourceforge.net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/...fo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
