Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to
This is a discussion on Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to within the Snort forums, part of the System Security and Security Related category; --===============1941924273== Content-Type: multipart/alternative; boundary=Apple-Mail-28--326814385 --Apple-Mail-28--326814385 Content-Type: text/plain; charset=UTF-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
1 Week Ago
|
|||
|
|||
Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to
--===============1941924273== Content-Type: multipart/alternative; boundary=Apple-Mail-28--326814385 --Apple-Mail-28--326814385 Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Just remember that dropping packets in Snort's case could possibly be =20= detrimental to some of the preprocessors. You want to shoot for 0% =20 dropped packets in anything that you do. I do believe that you are getting too big on that one box. Snort =20 isn't multi-core aware (yet), and while it helps to have a very =20 powerful machine, there are limitations at some point without custom =20 software to handle it. J On May 3, 2008, at 9:40 PM, Stewart L wrote: > I figured we'd add until we start dropping too many packets. The =20 > CPU load on each core is only about 45% right now and we're dropping =20= > less than 1% of packets through the box. We're also doing some =20 > processor affinity stuff and dedicating a couple cores to SQL and =20 > each instance of snort gets it's own core as well. > > I'd be interested in hearing from other folks doing large setups... > > Stewart > > > On Sat, May 3, 2008 at 5:13 PM, Jason Haar =20 > <Jason.Haar@trimble.co.nz> wrote: > Stewart L wrote: > > Well, I wasn't in charge of the deployment. I handed it off to one =20= > of > > the guys on my team to do the research and recommendations. > > > > Part of the problem is that there is no SOLID advice out there on =20= > how > > to set up and tweak a lot of this stuff. We have the oreilly books > > and have done some searches, but there is a lot of hand waving and =20= > not > > a lot of solid answers. > > There are too many variables for there to be a "one size fits all" > answer. That's why companies like SourceFire exist - they do all that > background 'thinking' for you and produce a product that 'just works'. > > You should check the solution you have actually works. 6-16 100Mbs > Ethernet monitors on one box is probably too many. Unless you've > cherry-picked the motherboard,Ethernet cards, etc. And I'm assuming > they're 100M - if they are Gb - you almost certainly have a problem. > > > > > > So, you're saying that if I were to have another machine do the =20 > actual > > capture and a separate database machine, I'd be better off in the =20= > long > > haul? That should be pretty easy to set up. > > > Yup - you won't get all the hard SQL work interfering with the hard > packet sniffing work. And barnyard of course instead of native SQL =20 > support. > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > > = ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save =20 > $100. > Use priority code J8TL2D2. > = http://ad.doubleclick.net/clk;198757...a.sun.com/jav= aone > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > > > > --=20 > Stewart > > The revolution will not be televised. > The revolution will be no re-run brothers; > The revolution will be live. =20 > = ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save =20 > $100. > Use priority code J8TL2D2. > = http://ad.doubleclick.net/clk;198757...a.sun.com/jav= aone______________________________________________ _ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users -- Joel Esler =EF=A3=BF joel.esler@sourcefire.com --Apple-Mail-28--326814385 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; ">Just remember that dropping = packets in Snort's case could possibly be detrimental to some of = the preprocessors. You want to shoot for 0% dropped packets = in anything that you do.<div><br></div><div>I do believe that you are = getting too big on that one box. Snort isn't multi-core aware = (yet), and while it helps to have a very powerful machine, there are = limitations at some point without custom software to handle = it.</div><div><br></div><div>J</div><div><br><div><div>On May 3, 2008, = at 9:40 PM, Stewart L wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote type=3D"cite">I figured = we'd add until we start dropping too many packets. The CPU = load on each core is only about 45% right now and we're dropping less = than 1% of packets through the box. We're also doing some = processor affinity stuff and dedicating a couple cores to SQL and each = instance of snort gets it's own core as well. <br> <br>I'd be interested = in hearing from other folks doing large = setups...<br><br>Stewart<br><br><br><div class=3D"gmail_quote">On Sat, = May 3, 2008 at 5:13 PM, Jason Haar <<a = href=3D"mailto:Jason.Haar@trimble.co.nz">Jason.Haa r@trimble.co.nz</a>> = wrote:<br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px = solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: = 1ex;"><div class=3D"Ih2E3d">Stewart L wrote:<br> > Well, I wasn't in = charge of the deployment. I handed it off to one of<br> > the guys on my = team to do the research and recommendations.<br> ><br> > Part of the = problem is that there is no SOLID advice out there on how<br> > to set = up and tweak a lot of this stuff. We have the oreilly books<br> > = and have done some searches, but there is a lot of hand waving and = not<br> > a lot of solid answers.<br> <br> </div>There are too many = variables for there to be a "one size fits all"<br> answer. That's why = companies like SourceFire exist - they do all that<br> background = 'thinking' for you and produce a product that 'just works'.<br> <br> You = should check the solution you have actually works. 6-16 100Mbs<br> = Ethernet monitors on one box is probably too many. Unless you've<br> = cherry-picked the motherboard,Ethernet cards, etc. And I'm assuming<br> = they're 100M - if they are Gb - you almost certainly have a problem.<br> = <div class=3D"Ih2E3d"><br> <br> ><br> > So, you're saying that if I were = to have another machine do the actual<br> > capture and a separate = database machine, I'd be better off in the long<br> > haul? That = should be pretty easy to set up.<br> ><br> </div>Yup - you won't get all = the hard SQL work interfering with the hard<br> packet sniffing work. = And barnyard of course instead of native SQL support.<br> = <div><div></div><div class=3D"Wj3C7c"><br> --<br> Cheers<br> <br> Jason = Haar<br> Information Security Manager, Trimble Navigation Ltd.<br> = Phone: +64 3 9635 377 Fax: +64 3 9635 417<br> PGP Fingerprint: 7A2E 0407 = C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1<br> <br> <br> = -------------------------------------------------------------------------<= br> This SF.net email is sponsored by the 2008 JavaOne(SM) = Conference<br> Don't miss this year's exciting event. There's still time = to save $100.<br> Use priority code J8TL2D2.<br> <a = href=3D"http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun= ..com/javaone" = target=3D"_blank">http://ad.doubleclick.net/clk;198757...03038;p?http:= //java.sun.com/javaone</a><br> = _______________________________________________<br > Snort-users mailing = list<br> <a = href=3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.source= forge.net</a><br> Go to this URL to change user options or = unsubscribe:<br> <a = href=3D"https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-user= s" = target=3D"_blank">https://lists.sourceforge.net/lists/...o/snort-users= <br> Snort-users</a> list archive:<br> <a = href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" = target=3D"_blank">http://www.geocrawler.com/redir-sf.p...t=3Dsnort-use= rs</a><br> </div></div></blockquote></div><br><br clear=3D"all"><br>-- = <br>Stewart<br><br>The revolution will not be televised.<br>The = revolution will be no re-run brothers;<br>The revolution will be live. = -------------------------------------------------------------------------<= br>This SF.net email is sponsored by the 2008 JavaOne(SM) Conference = <br>Don't miss this year's exciting event. There's still time to save = $100. <br>Use priority code J8TL2D2. <br><a = href=3D"http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun= ..com/javaone___________________________________________ ____">http://ad.dou= bleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_________= ______________________________________</a><br>Snort-users mailing = list<br>Snort-users@lists.sourceforge.net<br>Go to this URL to change = user options or = unsubscribe:<br>https://lists.sourceforge.net/lists/listinfo/snort-users<b= r>Snort-users list = archive:<br>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</bl= ockquote></div><br><div apple-content-edited=3D"true"> <span = class=3D"Apple-style-span" style=3D"border-collapse: separate; color: = rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: = normal; font-variant: normal; font-weight: normal; letter-spacing: = normal; line-height: normal; orphans: 2; text-align: auto; text-indent: = 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: = 0px; -webkit-border-horizontal-spacing: 0px; = -webkit-border-vertical-spacing: 0px; = -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0; "><div style=3D"word-wrap: = break-word; -webkit-nbsp-mode: space; -webkit-line-break: = after-white-space; "><span class=3D"Apple-style-span" = style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 12px; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; = widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; = -webkit-border-vertical-spacing: 0px; = -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; "><span class=3D"Apple-style-span" = style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 12px; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; = widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; = -webkit-border-vertical-spacing: 0px; = -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: = break-word; -webkit-nbsp-mode: space; -webkit-line-break: = after-white-space; "><div><br = class=3D"Apple-interchange-newline">--</div><div>Joel Esler =EF=A3=BF = ;<a = href=3D"mailto:joel.esler@sourcefire.com">joel.esl er@sourcefire.com</a></d= iv><div><br class=3D"webkit-block-placeholder"></div></div></span><br = class=3D"Apple-interchange-newline"></span><br = class=3D"Apple-interchange-newline"></div></span> = </div><br></div></body></html>= --Apple-Mail-28--326814385-- --===============1941924273== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757...un.com/javaone --===============1941924273== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============1941924273==-- 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:42 PM.
