Snort mailing list archives
Re: New install questions.
From: Doug Burks <doug.burks () gmail com>
Date: Wed, 6 Mar 2013 16:33:31 -0500
On Wed, Mar 6, 2013 at 4:23 PM, Joel Esler <jesler () sourcefire com> wrote: <snip>
2) What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec). You'll probably need something like flow dividing and pinning to CPUs. There are lots of articles out there on this information. One of the more recent that discuss this topic (although it really doesn't tell you how to configure Snort: http://erratasec.blogspot.com/2013/02/multi-core-scaling-its-not-multi.html ) Worth a good read. I believe the Security Onion distro does this now (Doug, care to confirm?)
Security Onion includes PF_RING, so you can divide your traffic amongst as many Snort instances as you have cores. Doug ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Heine Lysemose (Mar 06)
- Re: New install questions. Joel Esler (Mar 06)
- Re: New install questions. Doug Burks (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Greg Williams (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Gregory W. MacPherson (Mar 11)
- Re: New install questions. Greg Williams (Mar 07)
- <Possible follow-ups>
- Re: New install questions. Sallee, Stephen (Jake) (Mar 07)