Snort mailing list archives
Re: Throughput question, setup validation
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 16 Mar 2007 10:00:08 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jim, I'm not familiar with the specs of the CPU you're using on your sensor/bridge but since the traffic volume is pretty low I think you'll do fine on almost any modern system. Just make sure you set your stream memcaps fairly high (in excess of 256MB, maybe more like 512MB) and you tune your rules so that you aren't burning a lot of clock cycles looking for stuff that's never going to happen. As for the distro to put it on, whatever you're comfortable with is probably best because you can concentrate on the sensor software and not have to spend a lot of time figuring out the underlying system. -Marty On Mar 16, 2007, at 7:34 AM, Page-Zone Web Hosting wrote:
In the 3-4 days I've been losing sleep over this awesome program, I have a few questions. I've pored over every possible online resource for the past few days and have a system up and running although it has a long way to go. I'm not even sure its working right, and haven't managed to get the inline portion working, but have managed to get traffic to go through the box. My question is does this hardware setup / network scenario seem like a workable system and can anyone give me any recommendations: The network is a 100mbit downlink to about 14 LAMP servers on the same c class /24 serving about 10,000 low traffic websites. The downlink goes into a managed SMC6224M Tiger switch. Many of the sites are running mass distributed web apps such as wordpress, forum scripts, and just about every other script that can be downloaded for free, installed and abandoned by the webmaster/ hobbyist. Leaving us to worry about it getting exploited. Most sites are small business brochure or hobby sites. We have a lot of protections in place but never enough. The 95% bandwidth usage is about 10mbps with bursts of 20mbps occasionally, so I imagine the key number there is 20mbps. Budget is fairly low, for instance, aanval has been purchased and was considered expensive. My plan is to install Snort-inline on a transparent bridge on a spare dual Opteron 270, 2GB ECC ram to start (its all I have spare right now). 3ware 8000 series SATA raid 1, Tyan 3870 mainboard which has two on board 10/100/1000 LAN connections Intel i82541PI, can be seen here http://www.newegg.com/Product/Product.asp?Item=N82E16813151041 Will the hardware setup listed above handle that type of network? Or better yet, what degree of rule checking could I accomplish. Every server runs an individual instance of mod_security with a 200kb set of rules and seems to keep up pretty well. The servers are of the same specs except that they are Opt. 275's & 285's. Instead of an expensive bypass switch I plan to use a spare managed switch that the downlink would feed into, and if the Snort box goes down I could manually turn that port off and another port on which would feed into the Tiger switch. But haven't tested that yet to see if it would work. My next question, what would be the best distro to put this on, and if anyone has any suggestions, or pitfall warnings I'd be very glad to hear them. Thanks for any suggestions you may have. -- Thank You, Jim Snape Page-Zone Web Hosting http://www.page-zone.com ---------------------------------------------------------------------- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php? page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFF+qLoqj0FAQQ3KOARAjgqAJ98Hw7alWIAleOtirRE7l+xoDsOtgCfX7/K 2HJSmf+kndMNc6HXg41Ih5I= =KKKk -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Throughput question, setup validation Page-Zone Web Hosting (Mar 16)
- Re: Throughput question, setup validation Martin Roesch (Mar 16)