Snort on Gigabit [was Re: IDS\IPS that can handle one Gig]

• Previous message: Joel Esler: "Re: New to Snort !!!"
• In reply to: Byron L. Sonne: "Re: IDS\IPS that can handle one Gig"
• Next in thread: Konstantin V. Gavrilenko: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 29 May 2005 10:37:32 +0200
To: "Byron L. Sonne" <blsonne@rogers.com>

Hello Everybody.

> On 5/21/05, Byron L. Sonne <blsonne@rogers.com> wrote:
> It's not a vendor, but I've heard people have been running Snort quite
> well on gig links.

In this days I am trying to configure Snort to analyze traffic on a
busy gigabit link (400-600Mbit), and I am finding I lose 60-80%
traffic with the default snort config on freebsd (with device polling
and some kernel tuning for sniffing purpose) with a quite good
hardware. From my first analysis it looks like the problem is in how
the prepocessor works and are configured (without preprocessor I can
process near all the traffic)

Is there anybody that used snort on gigabit connection that can share
with us experience and tuning tips?

Best Regards,
                 Mamo
PS
For sourcefire people or people that used their product.. What are the
difference between the snort engine in the sourcefire appliance and
the open source one?

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Joel Esler: "Re: New to Snort !!!"
• In reply to: Byron L. Sonne: "Re: IDS\IPS that can handle one Gig"
• Next in thread: Konstantin V. Gavrilenko: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]