Snort mailing list archives
RE: HW Specs
From: "Timothy A. Holmes" <tholmes () mcaschool net>
Date: Wed, 23 Nov 2005 12:21:25 -0500
--On 21 November 2005 14:34 +0100 "Brian J. Dyrehauge"
<bjd () bridicum com>
wrote:I'm about to buy some hardware, and need to know what specs to go
with.
I'll be using Snort and MySQL on the same machine.I'd really recommend splitting the sensor role from the database role,
and
running them on separate machines for best performance.We'll be monitoring on 2 NICs. Net traffic will be, as far as I've
been
informed by our customer, 17 GB on one NIC and 14 GB on the other
NIC.
Theswitch is a 100 MB, which means no Gigabit traffic. Do you guys have any recommendations as to what hardware I should
buy?
Take into consideration that it has to be non-expensive. ;)These questions are always a bit vague as everyone's traffic patterns
and
NIDS config is different. However, for guidance, I'm using two Dell PowerEdge 2850s (2xXeon 3.2 Nocona (800MHz FSB, EM64T), E7520/E7525 chipset) running CentOS 4.2 x86_64. The sensor has 2xIntel Pro/1000 MT Quad Port NICs, 4GB memory and
2x10K
RPM SCSI discs, mirrored, connected to a PERC 4e/Di. The database console has 8GB memory and 4x10K RPM discs RAID10'ed on a PERC 4e/Di. The kernel is running with elevator=deadline to improve IO scheduling performance. The sensor is currently monitoring a single 100Mbit (pretty much
solid,
24x7) feed from a SPAN port and has all rules enabled (including
bleeding
and community), with a fair bit of session tagging, and is utilizing
15-
30% of one CPU and 188Mbyte of memory to do so. Snort is linked against
Phil
Wood's modified libpcap and configured to use the maximum buffer size. Hopefully the CPU usage will decrease once I've had a chance to tune
the
rules properly. The sensor feeds its alerts into the console using FLoP. The console
is
currently using MySQL (this may change to PgSQL in the future). MySQL
is
currently using 2.2Gbyte of memory and sometimes flattens (99.9%) a
single
CPU, especially if the database is being queried whilst events are
being
logged. If you need to economise, I'd recommend starting with eliminating the
RAID
and ~3GByte memory on the sensor. For further economy, reduce the console's memory to 4GByte. If you have the option, an Opteron-based machine
might
well be better for the console (and the sensor, if you can find one
with
multiple PCI-X busses - for a reasonable price). I also have a test NIDS, which has all the software running on a
single
machine. It's a P4 1.7, 768Mbyte of memory and a single 40G ATA disc.
It's
monitoring a <=30Mbit/s feed, and it barely copes, often dropping
packets.
I've even disabled a number of noisy rules that, ideally, I'd like to leave enabled.Yours sincerely, BrianHTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
[Timothy A. Holmes] Alex, and group: I have gotten snort and base set up and running (I think properly) but I have not yet started to tweak the rules etc. Right now, the sensor and the database are combined into one box set up as follows: Pentium 4 HT box, 1gb Memory 40gb HDD - not scsi 2 interfaces: - One Intel Pro1000 on the board -- has an ip on it -- used for management - One Belkin 10/100 PCI card -- no IP used as the sniffing interface right now Running MySQL and BASE -- Set up per Patrick Harpers instructions The sensor is currently placed between the cable modem and the Firewall on a hub, to monitor the outside traffic I would like to be able to use the second Interface as a second sniffer port, to take a look at internal traffic. Also, I would like to hear others recommendations about how to set up the logging etc. Some have recommended using a separate box for logging etc, I don't care on that issue, whatever works well is fine with me. We do not see a ton of traffic through the modem, average traffic is about 500kb, although, of course, there are spikes etc. I can set up span ports on the core switch without any trouble Thanks for any / all advice etc TIM ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HW Specs Brian J. Dyrehauge (Nov 21)
- Re: HW Specs Rich Moffitt (Nov 21)
- Re: HW Specs Gulfie (Nov 22)
- Re: HW Specs Alex Butcher, ISC/ISYS (Nov 23)
- Re: HW Specs Alex Butcher, ISC/ISYS (Nov 28)
- <Possible follow-ups>
- RE: HW Specs Timothy A. Holmes (Nov 23)
- RE: HW Specs Alex Butcher, ISC/ISYS (Nov 24)
- Re: HW Specs Rich Moffitt (Nov 21)