Snort mailing list archives
Re: hardware requirements
From: Rich Adamson <radamson () routers com>
Date: Mon, 10 Jan 2005 06:40:31 -0600
The only reason for mentioning the motherboard (etc) is that people involved with heavy audio apps and asterisk (open source telephone pbx) have found that some motherboard pci implementations provide less then stellular bus throughput. The throughput has had nothing to do with processor speed, ram, or number of processors. Based on those observations, I would have to guess the performance of snort with GigE will vary dramatically from one machine to another depending upon the exact mobo in use, etc. I'm certainly not an expert on pci or gige, but have spent a fair amount of professional time conducting network performance assessments for clients in 40+ states. I have not yet seen any gige implementation that could actually drive the nic interface at anything close to rated speed in a production environment. (Note: there are probably some somewhere, but I've not seen them, and I've been exposed to a large number of implementations.) As a strang recent example, we're trying to identify why a specific client's server with two gige interfaces cannot sustain traffic throughput greater then 170,000 bits/sec through a single interface. We've double-checked all the basic stuff, and there are no errors or discards happening anywhere, including the correctly configured cisco switch that it attachs to. We'll find the issue, but we're just not there as yet. So, given the above and trying to relate back to the original post relative to recommended hardware to support snort with gige, I don't know that anyone can truly recommend something without qualifying the system (DL380) in use (or Mobo), and at what traffic volumes snort begins to drop packets. I'd be very confident the throughput is substantially less then gige speeds, and I wouldn't be a bit surprised to hear dropped packets occurring at throughputs less then 25% to 50%. Rich ------------------------
True. We used the entire rule set and then singled it down to worms, virus, and porn related entries. Motherboard: Humm... I used a DL380 for the Snort install. Got no idea about the motherboard. Theo --- Rich Adamson <radamson () routers com> wrote:Right, so his original question should be reworded to be oriented towards when will snort begin dropping packets, etc. I've not seen anyone try to qualify motherboards, etc, under different traffic loads, rule sets, etc. ------------------------Rich, Yes this is true however most people use GigECardsfor traffic environments where major traffic, ie1000Meg traffic, is expected.... Theo --- Rich Adamson <radamson () routers com> wrote:Greetings, I would like to know if anyone hasanyhardware recommendations to run SNORT on. specifically im looking to put a GigE NIC in abox and would like to know how fast a CPU andmemory etc etc. Just about any box will work, however what you really want to know is... at what level of traffic will snort begintodrop packets. In other words, its traffic volume dependent,notGigE dependent. I've got several Win32 boxes running just fineonboxes that came with GigE ports, but the traffic volumes atthoselocations are so low that snort could have been using a 10megport.-------------------------------------------------------The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.nett-shirtfrom ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users__________________________________ Do you Yahoo!? All your favorites on one personal page ETry MyYahoo!http://my.yahoo.com---------------End of Original Message------------------------------------------------------------------------The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users__________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
---------------End of Original Message----------------- ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- hardware requirements Jeffery Martin (Jan 09)
- Re: hardware requirements Theodore Stout (Jan 09)
- Re: hardware requirements Theodore Stout (Jan 09)
- Re: hardware requirements Rich Adamson (Jan 10)
- Re: hardware requirements Theodore Stout (Jan 10)
- Re: hardware requirements Rich Adamson (Jan 10)
- Re: hardware requirements Theodore Stout (Jan 10)
- Re: hardware requirements Rich Adamson (Jan 10)
- Re: hardware requirements Alex Butcher, ISC/ISYS (Jan 10)
- Re: hardware requirements Rich Adamson (Jan 10)
- Re: hardware requirements Theodore Stout (Jan 10)
- Re: hardware requirements Rich Adamson (Jan 10)
- Re: hardware requirements Theodore Stout (Jan 10)
- <Possible follow-ups>
- RE: hardware requirements Basselgia, Barry A Mr (NAF Atsugi) (Jan 10)