Snort mailing list archives
RE: Design questions...
From: "Wayne T Work" <securitygauntlet () snet net>
Date: Tue, 29 Oct 2002 11:15:57 -0500
Well, First I would analyze what the traffic load on the network and T1's is. Use Ntop, you can use the native Windows network monitoring to see that you have going trough the gateway. Some program that just measures traffic levels. Second I would look to see what different switched segments you have from an architectural standpoint. If all the traffic traverses one point, i.e. the firewall (which I hope you have a very good one in place) then you should concentrate an initial effort there. Sometime its good to start off simple. Once the value is seen for the product, then further implementation should be viable. As you might know there are a couple of commercial versions of appliance based Snort IDS companies out there. Sourcefire and Silicon Defense for example. Check them out if your Boss is into commercial endeavors. Good luck Wayne Remember the KISS method (Keep It Simple Stupid)!! -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeremy Finke Sent: Tuesday, October 29, 2002 9:46 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Design questions... Hi, hopefully, my email is sorted out now and this will get through... I have some performance questions that I hope that someone would be able to help me out with. I am trying to convince my boss to start implementing snort at a serious level. Problem is, he is a windows/closed source type of guy and I am a unix/open source type of guy. I am trying to convince him to buy seperate boxes for each of the sensors and then a logging box that has its own private network to send data across. Ideally, I would have 4 snort sensors and one of them be an ACID/PHP/MySQL log server. He does not want to pay for all the boxes because he thinks that they are going to cost $2.5k a pop. I think that we can go with a non major vendor (pogo linux, penguin computing, etc....) and get it cheaper, but that is a different story. So, he brought up the idea of having one big box and having multiple nics. Now, I know that this can easily be done using multiple snort processes/conf files/etc... However, I am wondering about the performance of such a beast. What type of horsepower do I need to monitor 2 T1s (on seperate networks) and 2 100MB networks (also seperate)? Also, it will probably be running the database as well, on a seperate network. Can people give me an idea of what they are running out there? Thanks! Jeremy Finke
<<attachment: winmail.dat>>
Current thread:
- Design questions... Jeremy Finke (Oct 29)
- Re: Design questions... Jarret Gibson (Oct 29)
- RE: Design questions... Wayne T Work (Oct 29)
- <Possible follow-ups>
- RE: Design questions... Randy Bey (Oct 29)
- Re: RE: Design questions... larc (Oct 29)
- Design questions... Jeremy Finke (Oct 29)
- RE: RE: Design questions... Jeremy Finke (Oct 29)
- RE: Design questions... Jakub Molek (Oct 30)