Design questions...

["Jeremy Finke" <Jeremy.Finke () MeridianIQ com>]

> Hi, hopefully, my email is sorted out now and this will get through...
> I have some performance questions that I hope that someone would be
> able to help me out with. 
> I am trying to convince my boss to start implementing snort at a
> serious level. Problem is, he is a windows/closed source type of guy
> and I am a unix/open source type of guy. I am trying to convince him
> to buy seperate boxes for each of the sensors and then a logging box
> that has its own private network to send data across. Ideally, I would
> have 4 snort sensors and one of them be an ACID/PHP/MySQL log server.
> He does not want to pay for all the boxes because he thinks that they
> are going to cost $2.5k a pop. I think that we can go with a non major
> vendor (pogo linux, penguin computing, etc....) and get it cheaper,
> but that is a different story. 
> So, he brought up the idea of having one big box and having multiple
> nics. Now, I know that this can easily be done using multiple snort
> processes/conf files/etc... However, I am wondering about the
> performance of such a beast. What type of horsepower do I need to
> monitor 2 T1s (on seperate networks) and 2 100MB networks (also
> seperate)? Also, it will probably be running the database as well, on
> a seperate network. Can people give me an idea of what they are
> running out there? 
> Thanks! 
> Jeremy Finke