[unisog] IDS related Question

Peter Van Epp vanepp at sfu.ca
Mon Aug 16 20:01:11 GMT 2004


	While I don't use snort (argus being the answer :-)), you should be 
able to buy good quality gig cards (SysConnect are my favorite, since they 
will do full rate gig if your machine is big enough) and substitute them for
the current 100 cards with essentially no changes (a new driver is obviously
necessary at the OS level). Then your only problem is having enough horsepower
and memory bandwith on your capture machine to take the load (as I recall 
snort wants the full packet which is a substantial load ...). Its worth getting
a machine with 64 bit PCI (Tyan Thunder is what I use because it was what 
was benchmarked at a full gig and can do 995 or so megs on netperf between
a pair of them over a cross over cable here). If you have fdx issues, the Linux
channel bonding driver will make two SysConnect cards look like a single 
interface (again I've tried it but don't use it because increasing bpf buffer
size on Linux needed a recompile last I looked and FreeBSD doesn't and was 
a lot more network efficient at high link utilaztion, i.e two CPUs pretty
much flat out for Linux, one and a bit at %100 for FreeBSD on netperf). Even
those boxes only get about 1600 megs fdx (possibly memory or PCI limitation).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Mon, Aug 16, 2004 at 12:28:14PM -0700, khan rohail wrote:
> I am looking towards possible solutions to upgrade our
> IDS system from monitoring 100MB to Gigabit. Though
> the bandwidth wont be gigabit but I would still like
> the capability for it to monitor gig. We are using
> snort freeware. 
> 
> Has any one implemented snort to support gig and how.
> Any reference matericals would be appreciated. I know
> that you can do it using toplayer load balancer but I
> am looking for something different.
> 
> Thanks
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list