Re: HW Specs

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 21 November 2005 14:34 +0100 "Brian J. Dyrehauge" <bjd () bridicum com> 
wrote:

> I'm about to buy some hardware, and need to know what specs to go with.
> I'll be using Snort and MySQL on the same machine.

I'd really recommend splitting the sensor role from the database role, and 
running them on separate machines for best performance.

> We'll be monitoring on 2 NICs. Net traffic will be, as far as I've been
> informed by our customer, 17 GB on one NIC and 14 GB on the other NIC. 
The
> switch is a 100 MB, which means no Gigabit traffic.
>
> Do you guys have any recommendations as to what hardware I should buy?
> Take into consideration that it has to be non-expensive. ;)

These questions are always a bit vague as everyone's traffic patterns and 
NIDS config is different. However, for guidance, I'm using two Dell 
PowerEdge 2850s (2xXeon 3.2 Nocona (800MHz FSB, EM64T), E7520/E7525 
chipset) running CentOS 4.2 x86_64.

The sensor has 2xIntel Pro/1000 MT Quad Port NICs, 4GB memory and 2x10K RPM 
SCSI discs, mirrored, connected to a PERC 4e/Di.

The database console has 8GB memory and 4x10K RPM discs RAID10'ed on a PERC 
4e/Di. The kernel is running with elevator=deadline to improve IO 
scheduling performance.

The sensor is currently monitoring a single 100Mbit (pretty much solid, 
24x7) feed from a SPAN port and has all rules enabled (including bleeding 
and community), with a fair bit of session tagging, and is utilizing 15-30% 
of one CPU and 188Mbyte of memory to do so. Snort is linked against Phil 
Wood's modified libpcap and configured to use the maximum buffer size. 
Hopefully the CPU usage will decrease once I've had a chance to tune the 
rules properly.

The sensor feeds its alerts into the console using FLoP. The console is 
currently using MySQL (this may change to PgSQL in the future). MySQL is 
currently using 2.2Gbyte of memory and sometimes flattens (99.9%) a single 
CPU, especially if the database is being queried whilst events are being 
logged.

If you need to economise, I'd recommend starting with eliminating the RAID 
and ~3GByte memory on the sensor. For further economy, reduce the console's 
memory to 4GByte. If you have the option, an Opteron-based machine might 
well be better for the console (and the sensor, if you can find one with 
multiple PCI-X busses - for a reasonable price).

I also have a test NIDS, which has all the software running on a single 
machine. It's a P4 1.7, 768Mbyte of memory and a single 40G ATA disc. It's 
monitoring a <=30Mbit/s feed, and it barely copes, often dropping packets. 
I've even disabled a number of noisy rules that, ideally, I'd like to leave 
enabled.

> Yours sincerely,
> Brian

HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users