[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Re: Multigigabit Speeds -- Again
From:       Vincent <elusivesecurity () gmail ! com>
Date:       2013-03-29 12:40:41
Message-ID: 39800d24-dbcc-4382-9910-b47de3e72dd9 () googlegroups ! com
[Download RAW message or body]

On Thursday, March 28, 2013 12:26:43 PM UTC-4, Michael Haney wrote:
> In my experience (and others on this list have said similar), hardware is a \
> deciding factor, and improper tuning will ruin your day. But the tools included in \
> SecurityOnion (particularly with the performance of the PF_RING and netsniff-ng) \
> are definitely up to the task, and the setup process with SO makes it pretty easy \
> to get it right. The trick to tuning various things to balance your traffic across \
> multiple cores and multiple (single-thread) processes in a way that works for you. 
> The first thing to consider is how you parallelize your traffic analysis. Robin \
> Sommer of the Bro team has a great presentation from a few years ago that \
> graphically explains the issues (maybe too many pictures and not enough words): \
> http://www.icir.org/robin/slides/cisco-multi-core.pdf 
> And here's one about 100Gbps. Yep.
> http://www.icir.org/robin/slides/icsi-board-meeting.pdf
> 
> There's some documentation on the bro cluster model here:
> http://www.bro.org/documentation/cluster.html
> 
> SecurityOnion docs discuss the PF_RING setup here:
> https://code.google.com/p/security-onion/wiki/PF_RING
> 
> There are a few other sources out there that discuss how PF_RING will load-balance \
> traffic by flow... 
> Another more manual process (that I think gives you more control and awareness of \
> how things are being processed) is to set up multiple sensor instances during \
> sosetup to get multiple procs assigned. Then you can manipulate the bpf.conf files \
> (by default, just one, but with symlinks that can be removed to create multiple \
> files for the various processes).  That setup is briefly discussed here: \
> https://code.google.com/p/security-onion/wiki/BPF 
> So say you have a really busy web server within a DMZ subnet, you have the rest of \
> the DMZ, and you have the internal network zone. You could have a bpf.conf set to \
> just grab traffic to and from the web server. Then in another instance folder, you \
> set the bpf to be all DMZ traffic that is NOT the web server. Then you can have a \
> third instance to take all traffic that is NOT in the DMZ.  If you're careful ;^) \
> you'll still get all the traffic, and you have control of how it is balanced across \
> sensor instances. 
> Anyway, this is what I'm working on these days mirroring 3 10Gbps networks, and I \
> know with the right tuning and "beefy" but still commodity hardware (that Dell R720 \
> is a great choice for the price), you can definitely handle the load. I know others \
> have made big progress on big data, so I'd love to hear from other SO users about \
> setup possibilities.  
> But anyone will tell you that it is totally possible to hose your beefy system and \
> drop packets like crazy if you push everything to one thread, have every Snort rule \
> available turned on, with several rules possibly incorrect, preprocessors not tuned \
> at all, and only 1GB of RAM for a 10Gbps NIC. Then try to get Bro to parse out and \
> store every attachment of every web sessions, etc, etc.  I've made more mistakes \
> than successes, but here's to learning by doing. Therefore, YMMV. 
> Hope this helps.
> 
> Regards,
> Michael
> 
> On Wednesday, March 27, 2013 10:30:44 AM UTC-5, Vincent wrote:
> > On Wednesday, March 27, 2013 11:20:05 AM UTC-4, Vincent wrote:
> > > I know this has been asked before, in various forms.  But what are the \
> > > potential issues for using Security Onion to monitor multigigabit traffic? 
> > > I'm not really concerned with storage capacity -- I can easily estimate how \
> > > much storage needed to retain full pcaps.  But, will Snort and Bro be able to \
> > > reasonably monitor this amount of traffic? 
> > > As for hardware -- I'm currently looking at the Dell PowereEdge R720, which I \
> > > believe has been recommended for use on this forum previously, and it will be \
> > > pretty hefty -- 2 x E5-2620 (12 cores total), 16+ GB RAM, Intel X520 for \
> > > monitor interface. 
> > > Really appreciate the help.
> > > 
> > > Thanks,
> > > 
> > > Vincent
> > 
> > I guess I should have been more specific regarding the bandwidth -- let's say \
> > 4Gb/s. 
> > Thanks,
> > 
> > Vincent

Michael,

This is incredibly useful and comprehensive information!  Thank you so much for \
taking the time to post this.  I am sure it will be helpful to others as well.

I'm sure I'll make my share of mistakes trying to implement this, but it's helpful to \
know others have been down the same road and are making progress.

Thanks again!

Vincent

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]