Recommended hardware for Snort IDS

[eslerj at gmail.com (Joel Esler)]

On Fri, Dec 11, 2009 at 10:12 AM, Nils <nils at hemmann.de> wrote:

> What hardware are you guys using for your IDS systems?
>
> We are monitoring a 1000Mbit/s link with an average bandwidth of
> 30Mbit/s. A second link with a similar bandwidth will follow.
> After a successful test with a small system we'd like to order a
> dedicated server. Preferably HP DL xyz G4 or G5.
> OS wise we are tight to Red Hat Enterprise 5.4, IDS software is Snort
> with BASE, maybe switching to Anval.
>
> Any recommendations from the field?

Have your Snort IDS on a separate machine from your database.
          That includes your GUI
It all depends on what rules you are running, tuning processes, etc.
But I would get the fastest processor you can, (Snort can't take the
advantages of dual or multiple cores at current version, so don't get
concerned about cores)
RAM.  Get RAM.  If you are monitoring a GiG link, with no expert tuning, get
RAM.  4 Gigs or so.

I have a dual core (yeah, i know what i just said) 1.4G processor 1U server
class machine with 2 Gigs of RAM.  I am running a limited ruleset, and I've
tuned it to the top degree.  (I tend to know what I am doing in these
things) I can't push enough traffic through this machine on my network to
make it drop packets (200 Megs+ a second).

It's all in the tuning at the end of the day, but if you don't know a lot
about tuning, then opt for lots of RAM.






-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091211/e31fa912/attachment.htm