OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Erik Engberg (Erik.Engbergcygate.se)
Date: Tue Mar 20 2001 - 09:48:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    (This has been up on the list before, hasnīt it?)

    Anyway,

    I have done tests of this with the TopLayer switch and it works great, even
    loadbalancing 3-4 snorts and 3-4 [other IDS] for redundant detection.

    If you want an alternative, Alteon layer-7 switches works just fine as well
    (even better?), although they are not fully stateful and has a built in
    stateful firewall as the TopLayer, they are a lot faster (more stable?) and
    can handle a lot more load and work great for IDS load balancing. They may
    be cheaper as well... Although the Toplayer switch has a lot more
    luserfriendly windoze gui interface.

    I would recommend the Toplayer product to most people and Alteon to the
    high-demand proīs.

    /Erik

    >-----Original Message-----
    >From: diphenagitation.net [mailto:diphenagitation.net]
    >Sent: den 19 mars 2001 23:48
    >To: Austad, Jay
    >Cc: 'snort-userslists.sourceforge.net'
    >Subject: Re: [Snort-users] thoughts on load balancing snort boxen for
    >high traffic links
    >
    >
    >I asked Marty this question a while back - his recommendation
    >was to use
    >TopLayer switches and balance between a few different boxes.
    >
    >-g
    >
    >On Mon, Mar 19, 2001 at 01:26:35PM -0600, Austad, Jay wrote:
    >> I originally sent this message to another list of people,
    >but I think maybe
    >> it's a good thing to post it here also:
    >>
    >> Ok, so I was thinking more on load balancing snort boxes for
    >high traffic
    >> links, and here's one idea I had, let me know if this sounds
    >like it may
    >> work:
    >>
    >> Say I have one box that sits and runs the following command:
    >> tcpdump -i eth1 -<some_options> | ./splitter -b 10M -h
    >> 10.1.1.1:9999,10.1.1.2:9999,10.1.1.3:9999 &
    >>
    >> Where the program "splitter" takes the tcpdump output as
    >stdin, fills a
    >> buffer of size specified by the -b option, and then flushes
    >the buffer
    >> (UDP?) to the first host listed in the -h option, the next
    >fill/flush will
    >> go to the second host, and so on.
    >>
    >> Each snort box has it's snort.conf set up to log to the same central
    >> database, has a named pipe (mkfifo /dev/snortpipe), and runs
    >something like:
    >>
    >> nc -l -p 9999 -u > /dev/snortpipe &
    >> snort -<some_options> -r /dev/snortpipe &
    >>
    >> I couldn't get snort to take stdin, hence the creation of
    >the named pipe.
    >> The splitter program will most likely have to have multiple
    >threads running
    >> so that when one is flushing the buffer, the next one can be
    >filling another
    >> one so there is no interruption in collection of data. As
    >my 3 snort boxes
    >> start running out of resources because of growing traffic, I
    >can just add
    >> another. Obviously, you're probably going to hose some of
    >the fragment
    >> reassembly, but it shouldn't be too bad if your buffer size
    >specified in the
    >> splitter program is large enough.
    >>
    >> Unless snort gets more efficient or takes advantage of
    >multiple procs, or
    >> until we have 4Ghz proccessors, I don't see how I'm going to
    >sniff links
    >> that sustain any more than 20Mbit/sec worth of traffic. Thoughts??
    >>
    >>
    >> ----------
    >> Jay Austad
    >> Network Administrator
    >> CBS Marketwatch
    >> 612.817.1271
    >> austadmarketwatch.com <mailto:austadmarketwatch.com>
    >> http://cbs.marketwatch.com
    >> http://www.bigcharts.com
    >>
    >> ----------
    >> Jay Austad
    >> Network Administrator
    >> CBS Marketwatch
    >> 612.817.1271
    >> austadmarketwatch.com <mailto:austadmarketwatch.com>
    >> http://cbs.marketwatch.com
    >> http://www.bigcharts.com
    >>
    >>
    >> _______________________________________________
    >> Snort-users mailing list
    >> Snort-userslists.sourceforge.net
    >> Go to this URL to change user options or unsubscribe:
    >> http://lists.sourceforge.net/lists/listinfo/snort-users
    >> Snort-users list archive:
    >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
    >_______________________________________________
    >Snort-users mailing list
    >Snort-userslists.sourceforge.net
    >Go to this URL to change user options or unsubscribe:
    >http://lists.sourceforge.net/lists/listinfo/snort-users
    >Snort-users list archive:
    >http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users