Snort mailing list archives
Re: minimum requirements?
From: John Sage <jsage () finchhaven com>
Date: Sat, 27 Jul 2002 19:37:28 -0700
Neal: On Sat, Jul 27, 2002 at 04:01:09PM -0500, Neal Hamilton wrote:
I cant find any documentation on what would be a starting point for cpu/mem requirements. The machines spare machines i have rummaged up for this project are the following:
One of those sorts of questions that mainly get answered "It depends..." The general snort answer: 1) how many, and what sort of rules will you be running? "Fewer" is better, but what's "fewer"... 2) what kind of logging will you be doing? -b binary logging is by far fastest; logging to a console is slow. 3) what else is running on the snort host? Database; web server; etc etc..?
1. The sensor that will be running snort (266mhz pent2 with 396meg ram). The sensor is on a ipf/openbsd bridge with 3 interfaces. 2 of the interfaces will be in bridge mode with no ip address. Of the 2 stealth interfaces only one, the one connected to the cable modem, will be running as a snort sensor and will have no firewall rules associated with it as i want to see everything and filtering would make the snort sensor usless. The other stealth interface will be connected to the nat router from my lan and will not be a sensor but will have some filters applied to it.
Is the above acceptable for a cable modem 10/100 network?
I'd think, absolutely, but see: 1), 2), and 3), above. I'm running snort on a firewall/router, a Pentium 150 classic with 96mb RAM out of a modem, for a 10/100 LAN with four other boxes back behind, and snort never breaks a sweat. I *am* binary logging, and logging to syslog, and I'm also alerting to a MySQL database off on another host.. I'm running snort against most all of the stock rules, and maybe an additional 75 more custom rules that essentially alert or log *everything* My snort host is also running a caching-only nameserver, tcpdump on two interfaces, xntpd, emacs, but *not* X -- it's CLI only..
2. The PureSecure Console running mysql and apache. note: server will not be running snort, the main sensor is the box mentioned above. The machine i have picked up for this is a (500mhz amd with 256 megs of pc-100 ram and a 80gig ata100 hd.) is this enough power for currently one sensor and maybe another latter?
I'm running ACID/MySQL on an AMD K6-2 500, 256mb RAM, that's running a lot of other stuff, and it never breaks a sweat, either. OS = RHL 7.2
The OS i have chosen for the sensor (bridge) is OpenBSD 3.1. The OS i have chosen for the Mysql database and apache server is Redhat linux 7.2, because there will be another app running on this box that only runs on rdh linux...so i have to use it. The app does not use much cpu/memory sometime i cant even tell its running because it has such a small foot print. Any advice, help, guidance would be appreciated. Have a great day. Thanks, Neal Hamilton
Best wishes, - John -- Why, yes, I talk to birds. I speak fluent finch. PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- minimum requirements? Neal Hamilton (Jul 27)
- Re: minimum requirements? John Sage (Jul 27)