×
all 23 comments

[–]notFREEfood 18 points19 points  (3 children)

Not Snort/Suricata, but here's how to do 100G with Bro

http://go.lbl.gov/100g

No clue if a similar method would work for Snort/Suricata

[–]allencook420[S] 4 points5 points  (2 children)

I'd want to be able to deny packets and rate-limit. I don't think BRO is able to do those things.

[–]notFREEfood 11 points12 points  (1 child)

The idea with Bro is that you do all of that with other hardware.

[–]Apachez 12 points13 points  (0 children)

IDS vs IPS...

[–]Strahd414 14 points15 points  (6 children)

It's technically Snort, but Cisco's Firepower 4100 and 9300 series start around 10Gbps and go up to 133Gbps according to their docs.

[–]birdy9221 6 points7 points  (0 children)

Architecture of the box doesn’t punt traffic to the snort engine unless you have rules in place.

Not sure if those numbers are with rules enabled or not.

[–]rClNn7G3jD1Hb2FQUHz5 10 points11 points  (4 children)

The quality of Firepower (formerly Sourcefire) has taken a dramatic dive since Cisco purchased them. I’ve spent the last four years in various stages of hell because of it.

Do not recommend.

[–]planii11 1 point2 points  (3 children)

I've worked with both for the last 5 years and I have little to no grief with firepower and was a early adopter (version 5.3, I agree that 5.3-5.4 kinda sucked). I've run mostly asa with firepower services, but switched over to firepower threat defence and am really happy with it. I'm a security over connectivity guy, so I can understand that if you are a connectivity over security guy you could be unhappy :)

Firepower 2100 series is specked to do 8+ Gig/s with all the bells and whistles activated. Haven't tested it to verify. But Cisco has a track record of reporting the specs lower than real life experiance.

[–]xeon65 1 point2 points  (1 child)

Yes, they have gotten better since the acquisition of Sourcefire, it just took them awhile. Can't wait to see what 6.3 holds for Firepower

[–]planii11 0 points1 point  (0 children)

At Cisco live in Barcelona they told me multiple context mode would come in 6.3, that will be awesome for msp's. I know I've been waiting on that particular feature.

[–]rClNn7G3jD1Hb2FQUHz5 1 point2 points  (0 children)

Nah, I'm a security guy.

We've had issues with every single release since Cisco took over. In fact, at one point our office had identified enough bugs that we had more tickets open than any other Cisco Firepower customer.

Hell, we ran on loaner hardware using a previous version for the first 9 months we had the thing while they identified a bug in the version they shipped us.

To be fair, we're sending between 4 and 20Gbps of traffic in both directions, but our hardware stack is supposed to be able to handle that without issue. I don't think it's a hardware problem. The software QA has just been poor since Cisco took over.

[–]scratchfuryIt's not the network! 4 points5 points  (4 children)

Maybe with an FPGA.

[–]allencook420[S] 1 point2 points  (3 children)

By FPGA, do you mean one of those NICs designed specifically for packet capture? Or would you have to get an actual custom built NIC for this?

[–]WendoNZ 4 points5 points  (1 child)

It's not the NIC that needs to be able to do this, it's the CPU, and I don't think there is much out there that will get you there. I've seen an internet facing firewall chew up ~80% of 8 cores moving 1.2 -1.4Gb/s of internet traffic, and that wasn't even scanning it all

[–]FlowMang 3 points4 points  (0 children)

Actually the NIC can make a huge difference. Just handling that many packets can really stress a system. X86_64 Linux is a general purpose network stack and isn’t designed to process packets efficiently at this volume. In fact, it seems to start to come apart around 4Gbps. This is why vendors have FPGA NICs (Napatech/CSPI). You can also use something called a “zero copy” driver like PF_Ring_ZC, NetMap, or Intel DPDK to deal with this. As I understand it, This essentially puts the packet directly into memory without the processor having to copy it twice. This frees up a ton of CPU to do analysis.

[–]willricci 0 points1 point  (0 children)

It's common for traffic shapers to require dpdk

[–]hatemyjobZ 4 points5 points  (1 child)

[–]apstls 1 point2 points  (0 children)

These are great papers. Even with the first SEPTUN you can hit 10Gbps on a single NIC.

[–]fireshroom 1 point2 points  (2 children)

I am not trying to be off-topic but I feel this is relevant to your question. I have dealt with traffic up to 50gig throughput for monitoring. In our case, we relied heavily on a Gigamon GigaVUE-HC3 to perform deduplication, load balancing, and packet filtering.

When you want to inspect a significant amount of traffic it becomes a matter of scale and managing that traffic intelligently. By cutting down the actual inspection throughput requirements you can save a substantial expense in your security stack. Once you pass the 10gig mark, you will find that the cost per gig for monitoring traffic explodes. By utilizing something like a Gigamon or similar appliance you save the cost of the tool by being able to purchase inspection tools that are considerably less expensive for a smaller amount of throughput. It also opens the door to tools that typically wouldn't be able to handle such a significant amount of traffic.

So the question can Snort handle 10gig becomes can it handle 1gig-5gig due to the massive reduction in throughput requirements, or similar tool that supports clustering, you can load balance the traffic across multiple links and clusters.

[–]apstls 0 points1 point  (1 child)

What’s the pricing like for gigavue/secure?

[–]NightWolf105Packet Farmer 0 points1 point  (0 children)

Too much.

[–]The_Bitterveti write antiddos 0 points1 point  (0 children)

10gbps snorting is real life all you need is the pf_ring daq

is it any good?

fuck no

is there anything better?

pf_ring zc and a qualifying nic

[–]allencook420[S] 0 points1 point  (0 children)

OP Here, Just to clarify, I want it to act as an IPS, not an IDS. I don't plan on having it run thousands of rules either. Probably a maximum of 25-50.