Re: Hardware required for monitoring a DS3

[brandon () roguetrader com]

On Tue, Oct 02, 2001 at 01:36:05PM -0700, Erek Adams wrote:
> On Tue, 2 Oct 2001, SecLists wrote:
>
> > I am wondering if any of you would know what type of Intel machine setup I
> > would need to monitor a DS3 at a fairly large sevice provider. The machine
> > would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> > at peak times... It will also be logging to a remote database.
> >
> > Also, any idea how much disk space we should plan for? The ruleset would
> > not be too stringent as we have many different types of traffic coming
> > over that link...
>
> Gee...  A big one?  Seriously, have a look st:
>
>   http://www.snort.org/docs/faq.html#2.10
>
> The honest answer is there is no 'one size fits all' answer.  Best suggestions
> I've seen:
>
>       Good Nic!       --Probably one of the most important..
>       Fast Processor  --Probably one of the most important.
>       Plenty of RAM   --Some preprocssors chew up RAM.
>       Enough Disk     --Enough disk to log X amount of time.
>       Plenty of CPU   --More traffic, the bigger the engine needs to be.
>       Fast HD Cntrl   --UWSCSI.
>       Fast HD's       --Solid State drives rock!
>       Backend Nic     --For Admin and logging to remote console.
>
> Now, yes you will spend some cash on this, but do a <cost of 'comapny
> secrets'> vs. <box cost> and you'll see real quick that the box is a lot
> cheaper!
>
> If you drop that into a box, you're gonna be able to snort a large amount of
> packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
> 1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
> years...
>
> A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
> :)

We have a few DS3's and are averaging an aggregate of about 40MBit of them.
I have recently been evaluating upgrading.  We tried a Sun Netra T1/500MHz
and it was slower than our existing P3/850Mhz.  I also had some problems
because it appeared to actually process less packets but did not record ANY
lost packets, compared to our FreeBSD box on intel.  With a few minute
span each on the same hub recording the same data the Intel/BSD box
recorded about 2.3mil packets with less than 1 % loss and the SUn
recorded about 1.5 mil packets with zero loss.  We have since
disregarded the sun as a viable option.  What we did end up deciding
on was a Dual Athalon MP core at 1.2GHz.  We are buying the eracks
version (http://www.eracks.com).

-Brandon

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users