Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: advice on scaling / performance

From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Tue, 19 Jun 2001 09:20:23 -0400
You do realize with that configuration, you have created a gateway to each
network?

The performance thing is based on traffic and load.  If you have dual T-3's,
500 servers and 10,000 internal clients, I don't think that box can keep up.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Joseph
Nicholas Yarbrough
Sent: Tuesday, June 19, 2001 9:01 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] advice on scaling / performance


I have a question concerning performance. I searched the archives and wonder
if this info is up to date. As base information, we will use 99% of the
snort.org ruleset. Our original idea was 4 network cards with a cable
running
from each to an important part of the network (inside & outside firewall,
service net, and some side network). We would be running a single instance
of
Snort running on each interface. Comments or suggestion?

How powerfull of a system should we use to be able to process all this data
(at full loads if needed) on a 100mbps network?

Everyone seemed very sure that I should use "high quality" cards with "good"
driver support for your platform. I have been unable to find a network
performance review for Linux (our target platform). I have gathered from
newsgroups, which are known for spreading complete garbage, that I should
use
Intel cards and not use 3com cards on Linux. Anyone have a clue? Perhaps a
link to a review?

I planned a rackmount system with:
Intel Pentium III 850mhz (256k cache)
Intel eepro100 NIC
128MB sdram
20GB ATA/100 card
Mandrake Linux (perhaps 7.1?)

Which kernel version should I use? I would like to have 2.4 for netfilter,
but should I use 2.2 for some reason?

Would it be a better idea to build a smaller box for each interface we want
to monitor?

Feel free to ignore any stupid questions, and only answer questions you have
time for. I don't want to chew up everyone's time with my constant
badgering.

Thanks for Snort guys,
-Nick

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: