RE: Snort + (OpenBSD or Linux)

From: Colby Rice (crice@180096hotel.com)
Date: 07/30/01 

Subject: RE: Snort + (OpenBSD or Linux)
Date: Mon, 30 Jul 2001 10:18:47 -0500
Message-ID: <FA3D3A0F5774BE4487D8529DA9F1503D7B97B2@hrn-mail03>
From: "Colby Rice" <crice@180096hotel.com>
To: <Gregory_DeGennaro@csaa.com>, <subba9@home.com>, <dbunge@costco.com>

It works well when it is handing off a very nice switch and does not
have to deal with anything other then inbound and outbound traffic from
the net...
(I have other machines that sit and watch the inside traffic.) the only
time I really have a jump is when traffic starts getting high.. then
that depends on the load of the cat.. my PIX drops more packets then my
snort box. :>
                CR

-----Original Message-----
From: Gregory_DeGennaro@csaa.com [mailto:Gregory_DeGennaro@csaa.com]
Sent: Monday, July 30, 2001 8:15 AM
To: Colby Rice; subba9@home.com; dbunge@costco.com
Cc: FOCUS-IDS@securityfocus.com
Subject: RE: Snort + (OpenBSD or Linux)

"Currently it drops about .09% of the packets when we are at high
bandwidth."

The amount of drops sounds good to me since SLA for a clean network is
usually 10 or less percent. Any more than that, I would consider it
inefficient. Besides, there are settings in snort to adjust to network
speed.

The good old -A switch is pretty handy.

Greg

-----Original Message-----
From: Colby Rice [mailto:crice@180096hotel.com]
Sent: Monday, July 30, 2001 8:03 AM
To: Subba Rao; Dan Bunge
Cc: Focus IDS
Subject: RE: Snort + (OpenBSD or Linux)

I run FreeBSD+Snort as the primary NIDS in a high traffic enviroment.
The machine itself:
2 1ghz pIII
1 gig RAM
40 gig drive space.
this machine logs to a MySQL server.

Currently it drops about .09% of the packets when we are at high
bandwidth.

The cost of this setup:
$4,000
The TCO:
$15,000/year (this includes human time)

The cost of ISS RealSecure (To do the same thing this does):
$60,000
the TCO:
~$30,000/year

IMHO Snort is a better deal. If I run into a problem where one machine
cannot handle the bandwidth thats fine.. I have extra ports on my
catalyst.. and monitor ports are EASY to configure.. As for the 'best
OS' to run snort on..
I have used Linux, OpenBSD, and FreeBSD in this setup.. and I cant say
one is better then the other.. More then anything how you have snort
configured will effect how fast it is.. i.e. if you have 10000 rules and
100mbs+ of traffic you are going to drop packets and the box is going to
be under some load.
        CR
-----Original Message-----
From: Subba Rao [mailto:subba9@home.com]
Sent: Monday, July 30, 2001 3:40 AM
To: Dan Bunge
Cc: Focus IDS
Subject: Re: Snort + (OpenBSD or Linux)

On 0, Dan Bunge <dbunge@costco.com> wrote:
>
> It really all depends on how much traffic you're throwing at it.
>
> The only real peformance gains we found of running snort on openbsd
were at
> the 200Mb/s+ range,
> and it wasn't really that significant anyway.
>
> Besides, if you've got that much bandwidth at your front door, get
yourself
> a proven commercially supported product.
> Snort's a cool toy for home use, and it's great to have in the test
lab, but
> I'd never deploy it for production use in the enterprise. Not just
yet.
>
> If you're just trying to find something to put down on your cable
modem, use
> whatever OS you're comfortable with.
> You wont see any gain between the two at that low level of bandwidth
> utilization.
>
> >
> > The choice of the underlying OS that Snort will run on, is bothering
me a
> > bit.
> > I see several threads talking about Snort on OpenBSD. Where does
OpenBSD's
> > performance surpass Linux for using it as a Snort box? Regarding the
> > security
> > features of the OS, both (OpenBSD and Linux) systems could be
equally
> > fortified.
> > What are the measuarable improvements for using Snort on OpenBSD,
instead
> > of
> > Linux?
> >
> > Thank you in advance for any info.
>

I disagree that Snort is a toy for home use only. That is a different
discussion, where I think we can throw in real data proving that it is a
commercial grade IDS.

My main concern is the underlying OS for Snort. Alan Cox states that the
TCP/IP
stack for the kernel 2.4.x was rewritten. The drivers for high
performance NICs
like 3Com/Intel seem to be current on OpenBSD and Linux. So is there
something
important that I am missing about the underlying OS for Snort. (This is
not a
religious war of OSs). I like and use OpenBSD and Linux with the same
level of
importance.

Where are the studies that are saying that OpenBSD does not drop all the
packets
on a heavy duty pipe? Or OpenBSD is x% faster than Linux for an IDS box
in the
production environment? 

-- 

Subba Rao
subba9@home.com
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217

Relevant Pages
Quantcast