Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Enough Machine for Snort?

From: Patrick Darden <darden () armc org>
Date: Wed, 6 Feb 2002 15:42:26 -0500 (EST)

I'll translate that 200-300MB to 250Mb/s (hoping to goodness that you
meant Mb not MB, and that you meant per second--not en tot, and
averaging it to 250 just to have a solid number to work with).


250Mb/s /8 =  31MB/s X 60 seconds = 1.875GB/m  X 60 minutes = 112.5GB/hour


Speedwise, you need a disk subsystem capable of *writing* a sustained
average of 31MB/s.  Mirroring is fast for reads, but slow for writes.  The
data isn't that important.  I would do a mirrored disk system for OS and
applications, and a striped system for the logged data.

Capacity, you probably want a week's worth of logging at a time for
spotting progressive directed scans, so you would need 18.9TB of storage
(112.5GB/h * 24 * 7), or if you only have 10 hour work days, you could
safely half that amount to roughly 9TB of storage.  That's about 45 180GB
drives... you'll need a lot of electricity and cooling capability.

SCSI is obviously a necessity.  You might want to use quad channel for
the logging system.  I would also suggest that you get great gige nics,
perhaps that offload the tcp/ip stack from the cpu.  The less interrupts,
ios, and OS level stuff you have to do, the better.

For an operating system, the newest FreeBSD has a lot of tcp/ip tweeks, is
stable, and is a great choice.  Linux is my favorite OS, but the choices
for gige are sparse.  Win 2K Pro is well thought of by some of my
colleagues in-house, but I have never used it.  Solaris would be a good
choice, except to get the benefits you would have to buy the Sun
hardware--I recommend an E450 for the drive bays you will need.

CPU and RAM are fine.


If you just want 24 hours of logs, then it gets a lot easier.  If you
discard all uninteresting packets (and use that definition loosely), then
it gets a LOT easier, but conversely you will not see so many interesting
patterns over time and might miss more subtle attacks.



--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Wed, 6 Feb 2002, Hall, Duane wrote:


I am considering the following configuration:

Dell Poweredge 1550

2 X Pentium III 1.4Ghz w/ 512K Cache
512MB SDRAM, 2 DIMMS
2 X 36Gb Ultra3 10K SCSI Hard drive's in Mirror Mode
Raid Card with 64 MB Cache
2 X Broadcom NetXtreme 10/100/1000 NICS

Would this be enough to log about 200-300 MB traffic from a Gigabit
Ethernet.


Thanks

Duane


**************************
Duane Hall
Security Administrator

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: