advice on scaling / performance

[Joseph Nicholas Yarbrough <nyarbrough () lurhq com>]

I have a question concerning performance. I searched the archives and wonder 
if this info is up to date. As base information, we will use 99% of the 
snort.org ruleset. Our original idea was 4 network cards with a cable running 
from each to an important part of the network (inside & outside firewall, 
service net, and some side network). We would be running a single instance of 
Snort running on each interface. Comments or suggestion?

How powerfull of a system should we use to be able to process all this data 
(at full loads if needed) on a 100mbps network?

Everyone seemed very sure that I should use "high quality" cards with "good" 
driver support for your platform. I have been unable to find a network 
performance review for Linux (our target platform). I have gathered from 
newsgroups, which are known for spreading complete garbage, that I should use 
Intel cards and not use 3com cards on Linux. Anyone have a clue? Perhaps a  
link to a review?

I planned a rackmount system with:
Intel Pentium III 850mhz (256k cache)
Intel eepro100 NIC
128MB sdram
20GB ATA/100 card
Mandrake Linux (perhaps 7.1?)

Which kernel version should I use? I would like to have 2.4 for netfilter, 
but should I use 2.2 for some reason?

Would it be a better idea to build a smaller box for each interface we want 
to monitor?

Feel free to ignore any stupid questions, and only answer questions you have 
time for. I don't want to chew up everyone's time with my constant badgering.

Thanks for Snort guys,
-Nick

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users