Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
33

Snort Full 10Gbps

Does anyone know if Snort or Suricata are capable of handing full 10Gbps? (14,204,545 PPS)

23 comments
76% Upvoted
What are your thoughts? Log in or Sign uplog insign up

Not Snort/Suricata, but here's how to do 100G with Bro

http://go.lbl.gov/100g

No clue if a similar method would work for Snort/Suricata

Original Poster6 points · 3 days ago

I'd want to be able to deny packets and rate-limit. I don't think BRO is able to do those things.

The idea with Bro is that you do all of that with other hardware.

12 points · 3 days ago

IDS vs IPS...

13 points · 3 days ago

It's technically Snort, but Cisco's Firepower 4100 and 9300 series start around 10Gbps and go up to 133Gbps according to their docs.

Architecture of the box doesn’t punt traffic to the snort engine unless you have rules in place.

Not sure if those numbers are with rules enabled or not.

The quality of Firepower (formerly Sourcefire) has taken a dramatic dive since Cisco purchased them. I’ve spent the last four years in various stages of hell because of it.

Do not recommend.

2 points · 2 days ago

I've worked with both for the last 5 years and I have little to no grief with firepower and was a early adopter (version 5.3, I agree that 5.3-5.4 kinda sucked). I've run mostly asa with firepower services, but switched over to firepower threat defence and am really happy with it. I'm a security over connectivity guy, so I can understand that if you are a connectivity over security guy you could be unhappy :)

Firepower 2100 series is specked to do 8+ Gig/s with all the bells and whistles activated. Haven't tested it to verify. But Cisco has a track record of reporting the specs lower than real life experiance.

2 points · 2 days ago

Yes, they have gotten better since the acquisition of Sourcefire, it just took them awhile. Can't wait to see what 6.3 holds for Firepower

At Cisco live in Barcelona they told me multiple context mode would come in 6.3, that will be awesome for msp's. I know I've been waiting on that particular feature.

Nah, I'm a security guy.

We've had issues with every single release since Cisco took over. In fact, at one point our office had identified enough bugs that we had more tickets open than any other Cisco Firepower customer.

Hell, we ran on loaner hardware using a previous version for the first 9 months we had the thing while they identified a bug in the version they shipped us.

To be fair, we're sending between 4 and 20Gbps of traffic in both directions, but our hardware stack is supposed to be able to handle that without issue. I don't think it's a hardware problem. The software QA has just been poor since Cisco took over.

It's not the network!
6 points · 3 days ago

Maybe with an FPGA.

Original Poster2 points · 3 days ago

By FPGA, do you mean one of those NICs designed specifically for packet capture? Or would you have to get an actual custom built NIC for this?

7 points · 3 days ago

It's not the NIC that needs to be able to do this, it's the CPU, and I don't think there is much out there that will get you there. I've seen an internet facing firewall chew up ~80% of 8 cores moving 1.2 -1.4Gb/s of internet traffic, and that wasn't even scanning it all

4 points · 3 days ago

Actually the NIC can make a huge difference. Just handling that many packets can really stress a system. X86_64 Linux is a general purpose network stack and isn’t designed to process packets efficiently at this volume. In fact, it seems to start to come apart around 4Gbps. This is why vendors have FPGA NICs (Napatech/CSPI). You can also use something called a “zero copy” driver like PF_Ring_ZC, NetMap, or Intel DPDK to deal with this. As I understand it, This essentially puts the packet directly into memory without the processor having to copy it twice. This frees up a ton of CPU to do analysis.

It's common for traffic shapers to require dpdk

2 points · 2 days ago

These are great papers. Even with the first SEPTUN you can hit 10Gbps on a single NIC.

2 points · 3 days ago · edited 3 days ago

I am not trying to be off-topic but I feel this is relevant to your question. I have dealt with traffic up to 50gig throughput for monitoring. In our case, we relied heavily on a Gigamon GigaVUE-HC3 to perform deduplication, load balancing, and packet filtering.

When you want to inspect a significant amount of traffic it becomes a matter of scale and managing that traffic intelligently. By cutting down the actual inspection throughput requirements you can save a substantial expense in your security stack. Once you pass the 10gig mark, you will find that the cost per gig for monitoring traffic explodes. By utilizing something like a Gigamon or similar appliance you save the cost of the tool by being able to purchase inspection tools that are considerably less expensive for a smaller amount of throughput. It also opens the door to tools that typically wouldn't be able to handle such a significant amount of traffic.

So the question can Snort handle 10gig becomes can it handle 1gig-5gig due to the massive reduction in throughput requirements, or similar tool that supports clustering, you can load balance the traffic across multiple links and clusters.

1 point · 2 days ago

What’s the pricing like for gigavue/secure?

Packet Farmer
1 point · 2 days ago

Too much.

i write antiddos
1 point · 2 days ago

10gbps snorting is real life all you need is the pf_ring daq

is it any good?

fuck no

is there anything better?

pf_ring zc and a qualifying nic

Original Poster1 point · 2 days ago

OP Here, Just to clarify, I want it to act as an IPS, not an IDS. I don't plan on having it run thousands of rules either. Probably a maximum of 25-50.

Community Details

123k

Subscribers

1.3k

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.