Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

[nanog at daork.net (Nathan Ward)]

On 20/12/2008, at 4:23 PM, Randy Bush wrote:

>>> speaking as a small provider, I can tell you that I find running  
>>> snort
>> against my inbound traffic does reduce the cost of running an abuse  
>> desk.
>> I do catch offenders before I get abuse@ complaints, sometimes.
>
> unfortunately snort does not really scale to a larger provider.   
> and, to the best of my poor knowledge, good open source tools to  
> black-hole/redirect botted users are not generally available.  
> universities have some that are good at campus and enterprise scale.
>
> cymru and a few security researchers responded privately to my plea  
> for solid open source tool sets and refs.  knowing the folk  
> involved, maybe we'll see some motion.  patience is a virtue, within  
> limits.


If you're talking about throughput, Tilera recently (April)  
demonstrated 10Gbit/s snort on their TILE64 processors.
http://tilera.com/news_&_events/press_release_080429_snort.php

Not sure if anyone has them in products at the moment though.

--
Nathan Ward