Snort mailing list archives
RE: Minimum hardware config for Snort
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Fri, 8 Aug 2003 17:08:25 -0400
Excellent advice - thanks very much! -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Friday, August 08, 2003 5:00 PM To: Sheahan, Paul Cc: 'Schmehl, Paul L'; Snort List (E-mail) Subject: Re: [Snort-users] Minimum hardware config for Snort 2003-08-08T15:55:23 Sheahan, Paul:
- Gig network with up to 100mb/s traffic - Running on Red Hat Linux 7 - Will most likely be on an Intel platform (Compaq) - Will only have 50% of the default rules enabled plus some of my own - All preprocessors enabled (at least that is the initial plan) - Outputs will most likely be to log only, but MAY be going to ACID - Prefer no packet loss - No other services running (this will be a dedicated sensor box)
I'd really recommend changing that RH7 -> RH9; RH7 is slated for end-of-life Real Soon Now. If you want to juice things a bit more, hunt down and incorporate the ringbuffered libpcap. But for 100Mbps neither of these should be necessary. I'd not necessarily recommend _all_ preprocessors; I really would recommend considering them case-by-case and including the ones that you think will really add value for you. Make sure you get a good gig-e interface. I've enjoyed good success in a previous deployment using SysKonnect. Memory is cheap. Get a GB. Snort loves memory. Especially with fast nets and lots of preprocessors. CPUs are cheap. Get a nice quick one. I handled 50Mbps with negligible tuning and negligible packet loss using c. 1.25GHz P4; with reasonable tuning I'm pretty sure that platform would have stretched past 100Mbps. But CPUs are so darned cheap, get the quickest currently conveniently available. When you are doing logging only, make sure you're doing -A fast -b, or else just shoot the alerts out through syslog. When you go to a DB, make sure you go by way of barnyard, and stick the DB on a separate box. If you are getting tons of alerts, expect to lose packets; snort keeps up with huge traffic loads when it's not having to alert on most packets. I don't have a real hard figure for you here, but I'd expect that 2-3 alerts/second would probably be around the threshhold where snort performance will be impacted. If you can tune your preprocessor and sig configs to get alerts down well below that, it removes one source of potential worry. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Minimum hardware config for Snort Sheahan, Paul (Aug 08)
- Re: Minimum hardware config for Snort Bennett Todd (Aug 08)
- <Possible follow-ups>
- RE: Minimum hardware config for Snort Schmehl, Paul L (Aug 08)
- RE: Minimum hardware config for Snort Sheahan, Paul (Aug 08)
- Re: Minimum hardware config for Snort Bennett Todd (Aug 08)
- RE: Minimum hardware config for Snort Paul Schmehl (Aug 10)
- RE: Minimum hardware config for Snort Sheahan, Paul (Aug 08)