Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie to snort

From: Dragos Ruiu <dr () kyx net>
Date: Thu, 2 Aug 2001 13:05:16 -0700
On Thu, 02 Aug 2001, Erek Adams wrote:

Depends on your sustained traffic.  This has been hashed and rehashed on the
list.  Take a look at the FAQ.  It discusses this in some detail.  Check
http://www.snort.org/ and click 'FAQ' on the left.


Uhm.... just checked... and either I'm hitting some transparent web-cache
timewarp or the snort FAQ on www.snort.org hasn't been updated in a while.

Another URL you can use for the snort FAQ is:
 http://www.tux.org/~karl/SNORT-FAQ-v1.8.1.html

(thanks Karl for that and the HTMLizing)

And for this question the FAQ punts to the list here right now, so
this is a circular reference... :-)

There was a good discussion of this "how big a box" do I need question
recently in the last few weeks, which I intend to use to update this FAQ
question answer which is a bit vague right now.  This was an informational
thread on focus-ids@securityfocus titled "Snort- Minimum system requirements" 
And I would suggest starting there for some information as I recall several
users posted info about the bandwidths/boxes they were using.... at least
until I get a chance to get to the FAQ edits again...

BTW my only rule of thumb so far on box sizing is:
a P133 is good for 10MBps
a P350-400 is needed at a minimum to avoid packet
loss on a 100MBps interface. Marty uses a Celeron 400
for T1's and cablemodems as a mileage point.... 
a p750-800 is good for two 100 interfaces on the same box
(and 850+ _might_ be good for 3 with light loading and traffic
but this is highly config dependent and there are some 
other OS/NIC achitecture issues you start to hit at 270MBps+)

Of course all of these are dependent on how hard you push rules
database, OS, RAM, config and traffic, yadda yadda yadda... etc...

As usual YMMV!

cheers,
--dr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: