Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How much machine do I need to run snort?

From: "Abe L. Getchell" <abegetchell () home com>
Date: Thu, 31 Jan 2002 12:30:09 -0500
Hi Greg,

With that much traffic, if you have the cash, check out the TopLayer
AS3500 (http://www.toplayer.com/) and load-balance the traffic across an
array of sensors.  You'll get much more reliable results than trying to
monitor this traffic with one, or a couple, of stand-alone sensors.  It
also lets you do things like send certain kinds of traffic to certain
sensors which are tuned to monitor a specific kind of traffic; send all
HTTP to a sensor (or a group of sensors) only checking HTTP, for
example.  If you have a protocol break-down of your network traffic,
this will allow you to specifically tune sensors to monitor certain
kinds of traffic and mirror that traffic from your network to the
appropriate sensor.

In terms of sensor configuration, just make sure you have fast
processors, lots of memory, a fast disk subsystem, and you should be
fine.  What architecture and OS are you going to be deploying your
sensors on?  It might help for us to know this if you want any specific
suggestions.

Try searching the archives to see how people are approaching a
centralized management structure while using Snort, it's been discussed
here before at length.  In short, yes you can do it, about twenty
different ways. =)

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com


-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Greg Schmidt
Sent: Wednesday, January 30, 2002 3:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] How much machine do I need to run snort?


I have a class B network with with 3 core switches that 
handle about 20,000 nodes.  
How big of a box do I need to handle this?  I am looking at 1 
box for each 2 core 
switches and a 2 boxes for the main core switch, which has a 
90 Mb/s Internet 
connection and a 45 Mb/s I2 connection.  Also, can I take the 
data from the 4 
machines, and route it all back to a main "management 
console"? Thanks for the help.- Greg Schmidt, Manager Network 
Technology Services - Software Licensing Washington 
University in St. Louis One Brookings Drive, Campus Box 1048 
Prince Hall, Room 112 St. Louis, MO 63130
Phone (314) 935-7049   Fax (314) 935-7142
gschmidt () wustl edu     http://sl.wustl.edu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: