Faster Snorting Webinar

On January 31st 2008, Endace hosted a webinar featuring industry expert Matthew Jonkman. Matt showed how the Endace NinjaBox-Z can be used to accelerate existing Snort implementations, and discusses the results from his NinjaBox-Z performance testing. To watch the archived webinar click here.

Competition Winners

Winners of the Snort 2.1 Intrusion Detection handbook are ea-v, bh-i, gj-a, cp-c, and cp-a. The winner of the consulting session with Matt Jonkman is wo-c. Please note, to protect privacy we've used the winners initials and the first letter of their company - winners will be notified by email. Congratulations and thanks to everyone for registering.

Webinar Q & A

Here's a summary of the questions that arose during the webinar, and the answers to those questions. If you have any questions you'd like to ask after viewing the webinar, please use the "Contact Us" form here. 

Q. Can this web cast be downloaded with audio?
A. Yes. You can view the presentation with streaming audio here

Q. Is the presentation available for download?
A. Yes. You can download the Presentation here

Q. Over what period of time was the data used in the performance testing captured?
A. The source pcap was captured over an approximately 6-hour period.

Q. How large was the pcap file?
A. It was around 60GB

Q. So, for the higher speed tests, you had to loop the pcap over and over? Or did you just play is once for each test and then view the results?
A. For the high end testing, the pcap was indeed looped several times.

Q. Do you have a breakout of HTTP vs. SMTP vs. DNS, etc.
A. Not currently, but I can generate that and make it available in the future.

Q. How do you spread the traffic across the 8 snorts? Is it separate protocols.
A. The default configuration uses a hash load balancing mechanism which is protocol independent, but maintains stream continuity. This simplifies deployment s by allowing exactly the same rulesets to be deployed on each Snort instance. The NinjaBox-Z can split by IP address, port, protocol, if required, for fine-tuning the acceleration capabilities. In this case, distinct protocols can be steered to Snort instances running rulesets specific to the traffic type. As noted in the webinar, with this level of traffic awareness and tuning, I would expect the Endace platform to perform at sustained rates exceeding 6Gbps.

Q. Why could Snort not be threaded/load balanced on 5-tuple, thus taking advantage of multiple cores?
A. While the results presented in the webinar were achieved strictly using dynamic load balancing techniques, requiring no knowledge of the traffic on the segment and no pre-configuration, the NinjaBoz-Z can also load balance using 5-tuple filtering to achieve acceleration far in excess of 16X. This solution also requires no modification to the stock Snort source code.

Q. How does Snort perform with unidirectional traffic?
A. If you mean just getting one side of a ‘conversation’, it’ll not really work at all. Many rules and reassembly depend on the entire stream being available. If both sides of the conversation are not, most detections will not work.

Q. Is Endace considering packaging a tuned version of Snort in its NinjaBox as an appliance?
A. Endace has told me that they will be releasing a hardened appliance under the NinjaProbe portfolio shortly.

Q. How can we get all your testing methodologies you mentioned?
A. The best place to start is with my white paper [Endace NinjaBox-Z Series Performance Comparison], openly available on the Endace web site. If you have any further questions, please feel free to contact me through Endace.

Q. Did you test 4 cores, 4 streams and if so at what buffer depth?
A. I did not do a 4-stream test, but would expect similar acceleration rates. An advantage is, with 4-streams, you may be able to get a 512meg buffer per stream to stay under the linux 2 gig cap. That could have a very advantageous additional gain. Endace do have a 4-core Ninjabox-Z model in their portfolio.

Q Can you still use standard system to collect alerts, since you have multiple Snorts on one sensor? My understanding is that some systems require one Snort.
A. I can’t say for sure, as I’m not familiar with all product offerings. It is possible with the Endace Applied Watch Command Center solution, but you should probably check with your individual supplier.

Q. Media traffic is increasing over the wire. What is done with RTP or SIP traffic? How is it handled by the hardware? Will performance degrade?
A. I assume you are specifically talking about the increase in smaller packet sizes. The underlying technology used in the NinjaBox-Z is actually extremely adept at handling large amounts of small packet sizes. Endace has made test comparisons publically available on their web site. [DAG Packet Capture Performance]

Any further questions, please feel free to contact me through Endace.