Snort mailing list archives

Re: Minimum hardware config for Snort

From: Bennett Todd <bet () rahul net>
Date: Fri, 8 Aug 2003 17:00:17 -0400

2003-08-08T15:55:23 Sheahan, Paul:

- Gig network with up to 100mb/s traffic
- Running on Red Hat Linux 7
- Will most likely be on an Intel platform (Compaq)
- Will only have 50% of the default rules enabled plus some of my own
- All preprocessors enabled (at least that is the initial plan)
- Outputs will most likely be to log only, but MAY be going to ACID
- Prefer no packet loss
- No other services running (this will be a dedicated sensor box)


I'd really recommend changing that RH7 -> RH9; RH7 is slated for
end-of-life Real Soon Now. If you want to juice things a bit more,
hunt down and incorporate the ringbuffered libpcap. But for 100Mbps
neither of these should be necessary.

I'd not necessarily recommend _all_ preprocessors; I really would
recommend considering them case-by-case and including the ones that
you think will really add value for you.

Make sure you get a good gig-e interface. I've enjoyed good success
in a previous deployment using SysKonnect.

Memory is cheap. Get a GB. Snort loves memory. Especially with fast
nets and lots of preprocessors.

CPUs are cheap. Get a nice quick one. I handled 50Mbps with
negligible tuning and negligible packet loss using c. 1.25GHz P4;
with reasonable tuning I'm pretty sure that platform would have
stretched past 100Mbps. But CPUs are so darned cheap, get the
quickest currently conveniently available.

When you are doing logging only, make sure you're doing -A fast -b,
or else just shoot the alerts out through syslog. When you go to a
DB, make sure you go by way of barnyard, and stick the DB on a
separate box.

If you are getting tons of alerts, expect to lose packets; snort
keeps up with huge traffic loads when it's not having to alert on
most packets. I don't have a real hard figure for you here, but I'd
expect that 2-3 alerts/second would probably be around the
threshhold where snort performance will be impacted. If you can tune
your preprocessor and sig configs to get alerts down well below
that, it removes one source of potential worry.

Attachment: _bin
Description:

Current thread:

Minimum hardware config for Snort Sheahan, Paul (Aug 08)
- Re: Minimum hardware config for Snort Bennett Todd (Aug 08)
- <Possible follow-ups>
- RE: Minimum hardware config for Snort Schmehl, Paul L (Aug 08)
- RE: Minimum hardware config for Snort Sheahan, Paul (Aug 08)
  - Re: Minimum hardware config for Snort Bennett Todd (Aug 08)
  - RE: Minimum hardware config for Snort Paul Schmehl (Aug 10)
- RE: Minimum hardware config for Snort Sheahan, Paul (Aug 08)