RE: Design questions...

["Jakub Molek" <j.molek () finplus pl>]

Hi,
IMHO a standard P4 computer with 512 kB RAM and fast ATA disks will be
sufficient. Now I use box like that with 5 intel 100TX nics to snorting
on 5 local subnets with logging to local mysql database (I have usually
less then 15k alerts per day).
And usefull hint from me, keep Your database clean, so often drop not
realy dangerous logs (daily).
 
Kuba Molek

-----Original Message-----
From: Jeremy Finke [mailto:Jeremy.Finke () MeridianIQ com] 
Sent: Tuesday, October 29, 2002 3:46 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Design questions...



Hi, hopefully, my email is sorted out now and this will get through... 
I have some performance questions that I hope that someone would be able
to help me out with. 
I am trying to convince my boss to start implementing snort at a serious
level. Problem is, he is a windows/closed source type of guy and I am a
unix/open source type of guy. I am trying to convince him to buy
seperate boxes for each of the sensors and then a logging box that has
its own private network to send data across. Ideally, I would have 4
snort sensors and one of them be an ACID/PHP/MySQL log server. He does
not want to pay for all the boxes because he thinks that they are going
to cost $2.5k a pop. I think that we can go with a non major vendor
(pogo linux, penguin computing, etc....) and get it cheaper, but that is
a different story. 

So, he brought up the idea of having one big box and having multiple
nics. Now, I know that this can easily be done using multiple snort
processes/conf files/etc... However, I am wondering about the
performance of such a beast. What type of horsepower do I need to
monitor 2 T1s (on seperate networks) and 2 100MB networks (also
seperate)? Also, it will probably be running the database as well, on a
seperate network. Can people give me an idea of what they are running
out there? 

Thanks! 
Jeremy Finke