Snort mailing list archives

Re: Best Enterprise Snort Configuration

From: Ken Gunderson <kgunders () teamcool net>
Date: Wed, 12 Feb 2003 11:11:46 -0700

On Wednesday 12 February 2003 09:08 am, Paul Schmehl wrote:

On Wed, 2003-02-12 at 09:38, tfandango wrote:

Good news, I have a go for a Snort R&D project to
prove that Snort can handle the traffic that our
current commercial $oftware does.

So I have a few questions...

What is the best enterprise setup?  I estimate that we
will need about 60-70 sensors when it's all said and
done.  For an R&D project, I figure that I will start
with about 2 sensors running linux.


Use FreeBSD.  There's a really nice setup guide on the Documentation
page that will walk you through the install and get you up and
running. FreeBSD is known to be the fastest OS when it comes to
handling network traffic, and that's what you'll be doing with snort.

My FreeBSD snort box is a 1.3GHz processor with 1GB of ram, and it
typically uses about 175MB of memory "running" and 350MB if I'm doing
something to the database.  And the box is running snort, mysql and
acid.


FreeBSD rocks, but I think OpenBSD <http://www.openbsd.org> has it beat 
by a slim margin on tcp/ip stack speed, and it has unparalleled track 
record when it comes to security.  There used to be an paper by Dug 
Song with some benchmarks at monkey.org comparing freebsd, linux, and 
openbsd, but I am unable to find it at present, as it is apparently 
"censored by the digital millemium copyright act".  fwiw, in this bench 
both freebsd and openbsd smoked Linux by a margin of something like 
2:1, however, from what I understand the linux stack has improved quite 
a bit.

my $0.02

-- 
Best regards,

Ken Gunderson
PGP Key-- 9F5179FD

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Arguments for Snort tfandango (Feb 10)
- Re: Arguments for Snort twig les (Feb 10)
- Re: Arguments for Snort Shane Williams (Feb 11)
  - Re: Arguments for Snort Paul Schmehl (Feb 11)
    - Best Enterprise Snort Configuration tfandango (Feb 12)
    - Re: Best Enterprise Snort Configuration Paul Schmehl (Feb 12)
    - Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
    - Re: Best Enterprise Snort Configuration twig les (Feb 12)
    - Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
    - Re: Best Enterprise Snort Configuration Saad Kadhi (Feb 12)
    - Re: Best Enterprise Snort Configuration Michael Boman (Feb 12)
    - Re: Best Enterprise Snort Configuration Joerg Weber (Feb 12)
    - Re: Best Enterprise Snort Configuration Bennett Todd (Feb 12)