Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hardware requirements

From: Erek Adams <erek () snort org>
Date: Thu, 26 Jun 2003 12:19:31 -0400 (EDT)
On Thu, 26 Jun 2003, Brei, Matt wrote:


I would like to get an idea on what type of hardware you are all running
snort on and what size network it services.  I plan on using
snort/MySQL/acid to monitor internet usage and log policy violation on a
network with about 100 users.  I have the same basic set up at home with
snort running on a 450 K6-2 logging to MySQL/acid on a 1100 Athlon both
using PC133 and standard IDE drives (ATA100 and UDMA66).  With this many
users and having all of the components (snort/MySQL/acid) all on 1
machine, would It be a good idea to go with SCSI, DDR and 10/100/1000?
This setup also needs to be scalable up to about 250 users.


Well, there's been a _lot_ of discussion on hardware over time.  What it
basically boils down to are a few simple things:

*  I/O speed:  As fast as you can go.  IDE will do for small setups, but
UW-SCSI is quite a bit better.  And if you can _really_ throw money at it,
use SSD!
*  CPU speed:  Really depends on your traffic.  Sadly there is no hard and
fast rule on speed vs. bandwith.  I've seen reports of folks using fairly
low end hardware ( around 200 mhz ) and a really tuned ruleset handling
rather big pipes.  For the most part, as fast as you can.  You can't ever
be too fast for Snort.  :)
*  RAM:  With v2.0 Snort's memory usage really jumped.  If you're using
spp_conversation and spp_portscan2, you're going to need a pretty big
chunk of memory (about 70MB on my test box) to handle things.  The more
converstations you see, the larger that memory pool will be.  Again, it's
the 'Bigger is Better' thing.  Throw as much memory as you can at it.
512mb is a pretty good 'safe' point.
*  Separate boxes:  The best peformance comes from having a 'simple'
sensor, a Web/ACID box and a DB on a third.  Throw CPU and RAM at the DB
box, since ACID has some rather large queries.

Keep in mind that it's not 'how many users' that make the difference.
It's 'how much bandwidth are they eating?'.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: