Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Looking for recommendations for distributed Snort GiGE Sensors (network architecture described in message)

From: Landon Stewart <lstewart () superb net>
Date: Mon, 08 Dec 2003 23:48:45 -0800
Any recommendations on hardware (for now) are greatly appreciated. Cost effectiveness is important so a minimum to do the job. I don't want to get into load balancing on multiple 100mbit links if possible as the iron is too costly.
- I've seen discussion about bus speeds and the maximum data that can be processed with those bus speeds. What is my minimum? Could I get away with 33MHz bus? 
- What if I use fiber GiGE links?

Network description (hardware/throughput):

NOC 1:
        Router - CORE1   - Cisco 12008 GSR
                PIPE    1 Gbit/s
                AVG     140 Mbit/s
                PEAK    184 Mbit/s
        Router - CORE2   - Cisco 12008 GSR
                PIPE    1 Gbit/s
                AVG     102 Mbit/s
                PEAK    180 Mbit/s
Both routers distribute traffic to their own distribution switches (each one is a CAT5513) 
Visualize this at: http://nsssc.superb.net/img/dca1-fall2003.gif

NOC 2:
        Router - CORE1 - Cisco 12012 GSR
                PIPE    1 Gbit/s
                AVG     110 Mbit/s
                PEAK    130 Mbit/s
        Router - CORE2   - Cisco 12012 GSR
                PIPE    1 Gbit/s
                AVG     200 Mbit/s
                PEAK    280 Mbit/s
Both routers distribute traffic to their own distribution switches (each one is a CAT4912G) 
Visualize this at: http://nsssc.superb.net/img/dca2-fall2003.gif
- If you could look at the URL's listed to visualize the networks, where would the best place be to put mirrored sensors and what kind of hardware would I require? - What kind of requirements would I need for the centralized database system to store the alerts given the amount of IDS data that might be produced? Does it need SCSI or striped RAID? Could I get away with a good SCSI drive and some good RAM? 
- Other than ACID what are the other *good* analysis consoles?


I had thought maybe EACH core router (or distribution switch) would require:
        1 x fast machine like a DUAL 2.4GHz with 1GB of RAM
        1 x GiGE interface (fiber?)
- Could I get away with one sensor for each NOC and each of those sensors would have two GiGE interfaces or would that be too much data to process? I doubt I could do two CORE routers on one machine but what do you think? 
        
More complete network architecture information can be found at:
http://nsssc.superb.net/information/dca1net-info.php and
http://nsssc.superb.net/information/dca2net-info.php

Thank you to anyone who responds with any information!



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: