Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hardware requireds...

From: "Franki" <frankieh () vianet net au>
Date: Wed, 3 Oct 2001 05:03:15 +0800
using your below mentioned details,,,

what sort of bandwidth would a  1.4gig athlon 512mb and 60gig ATA100 7200rpm
IBM drive 2x10/100 nic's running 2.4.x linux  be able to handle with a
fairly normal ruleset??

we have 2 or 3 networks that I'd like to set snort up on,, (or possibly
prelude,, dunno yet, testing will tell.)

and I want to know roughly what sort of machine is suitable for what amount
of traffic its monitoring..

We have a couple of the above listed machines here that are not currently
doing anything else and I was wondering how well they would fair... I
suppose the hard disk and ram would be the letdowns????

anyway, if anyone has that sort of machine running as a snort server, what
sort of connection do you monitor and is your machine handling the load
ok???


rgds

Frankn




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
Sent: Wednesday, 3 October 2001 4:36 AM
To: SecLists
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Hardware required for monitoring a DS3


On Tue, 2 Oct 2001, SecLists wrote:


I am wondering if any of you would know what type of Intel machine setup I
would need to monitor a DS3 at a fairly large sevice provider. The machine
would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
at peak times... It will also be logging to a remote database.

Also, any idea how much disk space we should plan for? The ruleset would
not be too stringent as we have many different types of traffic coming
over that link...


Gee...  A big one?  Seriously, have a look st:

  http://www.snort.org/docs/faq.html#2.10

The honest answer is there is no 'one size fits all' answer.  Best
suggestions
I've seen:

        Good Nic!       --Probably one of the most important..
        Fast Processor  --Probably one of the most important.
        Plenty of RAM   --Some preprocssors chew up RAM.
        Enough Disk     --Enough disk to log X amount of time.
        Plenty of CPU   --More traffic, the bigger the engine needs to be.
        Fast HD Cntrl   --UWSCSI.
        Fast HD's       --Solid State drives rock!
        Backend Nic     --For Admin and logging to remote console.

Now, yes you will spend some cash on this, but do a <cost of 'comapny
secrets'> vs. <box cost> and you'll see real quick that the box is a lot
cheaper!

If you drop that into a box, you're gonna be able to snort a large amount of
packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
years...

A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
:)


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: