Re: minimum requirements?

[John Sage <jsage () finchhaven com>]

Neal:

On Sat, Jul 27, 2002 at 04:01:09PM -0500, Neal Hamilton wrote:
> I cant find any documentation on what would be a starting point for cpu/mem 
> requirements. The machines spare machines i have rummaged up for this 
> project are the following:

One of those sorts of questions that mainly get answered "It
depends..."

The general snort answer:

1) how many, and what sort of rules will you be running? "Fewer" is
better, but what's "fewer"...

2) what kind of logging will you be doing?  -b binary logging is by
far fastest; logging to a console is slow.

3) what else is running on the snort host? Database; web server; etc
etc..?

> 1. The sensor that will be running snort (266mhz pent2 with 396meg ram).
>      The sensor is on a ipf/openbsd bridge with 3 interfaces. 2 of the 
> interfaces will be in bridge mode with no ip address. Of the 2 stealth 
> interfaces only one, the one connected to the cable modem, will be running 
> as a snort sensor and  will have no firewall rules associated with it as i 
> want to see everything and filtering would make the snort sensor usless. 
> The other stealth interface will be connected to the nat router from my lan 
> and will not be a sensor but will have some filters applied to it.

> Is the above acceptable for a cable modem 10/100 network?

I'd think, absolutely, but see: 1), 2), and 3), above.

I'm running snort on a firewall/router, a Pentium 150 classic with
96mb RAM out of a modem, for a 10/100 LAN with four other boxes back
behind, and snort never breaks a sweat.

I *am* binary logging, and logging to syslog, and I'm also alerting to
a MySQL database off on another host..

I'm running snort against most all of the stock rules, and maybe an
additional 75 more custom rules that essentially alert or log
*everything*

My snort host is also running a caching-only nameserver, tcpdump on
two interfaces, xntpd, emacs, but *not* X -- it's CLI only..

> 2. The PureSecure Console running mysql and apache. note: server will not 
> be running snort, the main sensor is the box mentioned above. The machine i 
> have picked up for this is a (500mhz amd with 256 megs of pc-100 ram and a 
> 80gig ata100 hd.) is this enough power for currently one sensor and maybe 
> another latter?

I'm running ACID/MySQL on an AMD K6-2 500, 256mb RAM, that's running
a lot of other stuff, and it never breaks a sweat, either. OS = RHL 7.2 

> The OS i have chosen for the sensor (bridge) is OpenBSD 3.1.
> The OS i have chosen for the Mysql database and apache server is Redhat 
> linux 7.2, because there will be another app running on this box that only 
> runs on rdh linux...so i have to use it. The app does not use much 
> cpu/memory sometime i cant even tell its running because it has such a 
> small foot print.
>
> Any advice, help, guidance would be appreciated.
>
> Have a great day.
>
> Thanks,
> Neal Hamilton

Best wishes,


- John
-- 
Why, yes, I talk to birds. I speak fluent finch.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users