RE: Minimum hardware config for Snort

["Sheahan, Paul" <Paul.Sheahan () priceline com>]

Excellent advice - thanks very much!

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Friday, August 08, 2003 5:00 PM
To: Sheahan, Paul
Cc: 'Schmehl, Paul L'; Snort List (E-mail)
Subject: Re: [Snort-users] Minimum hardware config for Snort


2003-08-08T15:55:23 Sheahan, Paul:
> - Gig network with up to 100mb/s traffic
> - Running on Red Hat Linux 7
> - Will most likely be on an Intel platform (Compaq)
> - Will only have 50% of the default rules enabled plus some of my own
> - All preprocessors enabled (at least that is the initial plan)
> - Outputs will most likely be to log only, but MAY be going to ACID
> - Prefer no packet loss
> - No other services running (this will be a dedicated sensor box)

I'd really recommend changing that RH7 -> RH9; RH7 is slated for
end-of-life Real Soon Now. If you want to juice things a bit more,
hunt down and incorporate the ringbuffered libpcap. But for 100Mbps
neither of these should be necessary.

I'd not necessarily recommend _all_ preprocessors; I really would
recommend considering them case-by-case and including the ones that
you think will really add value for you.

Make sure you get a good gig-e interface. I've enjoyed good success
in a previous deployment using SysKonnect.

Memory is cheap. Get a GB. Snort loves memory. Especially with fast
nets and lots of preprocessors.

CPUs are cheap. Get a nice quick one. I handled 50Mbps with
negligible tuning and negligible packet loss using c. 1.25GHz P4;
with reasonable tuning I'm pretty sure that platform would have
stretched past 100Mbps. But CPUs are so darned cheap, get the
quickest currently conveniently available.

When you are doing logging only, make sure you're doing -A fast -b,
or else just shoot the alerts out through syslog. When you go to a
DB, make sure you go by way of barnyard, and stick the DB on a
separate box.

If you are getting tons of alerts, expect to lose packets; snort
keeps up with huge traffic loads when it's not having to alert on
most packets. I don't have a real hard figure for you here, but I'd
expect that 2-3 alerts/second would probably be around the
threshhold where snort performance will be impacted. If you can tune
your preprocessor and sig configs to get alerts down well below
that, it removes one source of potential worry.


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users