RE: HW Specs

["Timothy A. Holmes" <tholmes () mcaschool net>]

> --On 21 November 2005 14:34 +0100 "Brian J. Dyrehauge"
<bjd () bridicum com>
> wrote:
>
> > I'm about to buy some hardware, and need to know what specs to go
with.
> > I'll be using Snort and MySQL on the same machine.
>
> I'd really recommend splitting the sensor role from the database role,
and
> running them on separate machines for best performance.
>
> > We'll be monitoring on 2 NICs. Net traffic will be, as far as I've
been
> > informed by our customer, 17 GB on one NIC and 14 GB on the other
NIC.
> The
> > switch is a 100 MB, which means no Gigabit traffic.
> >
> > Do you guys have any recommendations as to what hardware I should
buy?
> > Take into consideration that it has to be non-expensive. ;)
>
> These questions are always a bit vague as everyone's traffic patterns
and
> NIDS config is different. However, for guidance, I'm using two Dell
> PowerEdge 2850s (2xXeon 3.2 Nocona (800MHz FSB, EM64T), E7520/E7525
> chipset) running CentOS 4.2 x86_64.
>
> The sensor has 2xIntel Pro/1000 MT Quad Port NICs, 4GB memory and
2x10K
> RPM
> SCSI discs, mirrored, connected to a PERC 4e/Di.
>
> The database console has 8GB memory and 4x10K RPM discs RAID10'ed on a
> PERC
> 4e/Di. The kernel is running with elevator=deadline to improve IO
> scheduling performance.
>
> The sensor is currently monitoring a single 100Mbit (pretty much
solid,
> 24x7) feed from a SPAN port and has all rules enabled (including
bleeding
> and community), with a fair bit of session tagging, and is utilizing
15-
> 30%
> of one CPU and 188Mbyte of memory to do so. Snort is linked against
Phil
> Wood's modified libpcap and configured to use the maximum buffer size.
> Hopefully the CPU usage will decrease once I've had a chance to tune
the
> rules properly.
>
> The sensor feeds its alerts into the console using FLoP. The console
is
> currently using MySQL (this may change to PgSQL in the future). MySQL
is
> currently using 2.2Gbyte of memory and sometimes flattens (99.9%) a
single
> CPU, especially if the database is being queried whilst events are
being
> logged.
>
> If you need to economise, I'd recommend starting with eliminating the
RAID
> and ~3GByte memory on the sensor. For further economy, reduce the
> console's
> memory to 4GByte. If you have the option, an Opteron-based machine
might
> well be better for the console (and the sensor, if you can find one
with
> multiple PCI-X busses - for a reasonable price).
>
> I also have a test NIDS, which has all the software running on a
single
> machine. It's a P4 1.7, 768Mbyte of memory and a single 40G ATA disc.
It's
> monitoring a <=30Mbit/s feed, and it barely copes, often dropping
packets.
> I've even disabled a number of noisy rules that, ideally, I'd like to
> leave
> enabled.
>
> > Yours sincerely,
> > Brian
>
> HTH,
> Alex.
> --
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing             GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
[Timothy A. Holmes] 

Alex, and group:

I have gotten snort and base set up and running (I think properly) but I
have not yet started to tweak the rules etc.  

Right now, the sensor and the database are combined into one box set up
as follows:

Pentium 4 HT box, 1gb Memory 40gb HDD - not scsi
2 interfaces:
        - One Intel Pro1000 on the board -- has an ip on it -- used for
management
        - One Belkin 10/100 PCI card -- no IP used as the sniffing
interface right now

Running MySQL and BASE -- Set up per Patrick Harpers instructions

The sensor is currently placed between the cable modem and the Firewall
on a hub,  to monitor the outside traffic

I would like to be able to use the second Interface as a second sniffer
port, to take a look at internal traffic.  Also, I would like to hear
others recommendations about how to set up the logging etc.  Some have
recommended using a separate box for logging etc,  I don't care on that
issue, whatever works well is fine with me.

We do not see a ton of traffic through the modem, average traffic is
about 500kb, although, of course, there are spikes etc.

I can set up span ports on the core switch without any trouble

Thanks for any / all advice etc

TIM



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users