Open source Snort should easily be able to handle this amount of traffic.
one thing I would seriously look at if you haven't already is barnyard. If
you output directly to a database, snort could drop packets during slow
inserts. With Barnyard, you are outputting to a unified output file and then
barnyard is reading it and doing the inserts. This will help greatly with
dropped packets.
Jeff
_____
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Larry Wichman
Sent: Friday, September 30, 2005 10:26 AM
To: Snorty S Snortman
Subject: [Snort-users] Snort performance concerns
I enabled Performance Monitor on my sensors and I have some concerns after
looking at some of the performance stats. First, I have three sensors, two
of which average 96mb/sec of traffic and the dropped packets percentage
average is about 10% (proc and memory utilization are high, as expected). I
have a third sensor that sees an average of about 5mb/sec and has the same
amount of dropped packets, memory and proc utilization are minimal. I have
implemented all the suggested optimizations (I think), patched Libpcap,
etc..I can understand that there would be some dropped packets when the
traffic is at a high, continuous load, but the third sensor with the same
amount of dropped packets with only a fraction of the traffic concerns me.
I am thinking about upgrading the hardware (faster proc, bus speeds, etc.),
but I might be wasting money if the stats are the same. Does anyone have
any input as to what is causing the dropped packets?
Also, my boss told me to start evaluating commercial products. My first
choice would be Sourcfire, I really do like working with Snort, but I need
whatever product I choose to be able to handle the amount of traffic that we
have. I would greatly appreciate any input on this. Cheers.
Larry
