Snort mailing list archives

RE: Question about best hardware

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Fri, 5 Mar 2004 12:07:26 -0600


Hardware won't be your problem.  Once you get around 100k events in the
snortdb on MySQL you'll run into major performance problems that almost
no amount of hardware seems to solve.   If you don't have issues
relating to how long you legally have to keep that data, then I
recommend purging what you can.

-----Original Message-----
From: M. Morgan [mailto:mikemorgan () mindspring com] 
Sent: Friday, March 05, 2004 11:18 AM
To: Mike Cohen; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question about best hardware


Hi Mike,
 I'm sure you'll get alot of different replies but Im going to give you
the specs on my IDS server and you can work from that if you like. I use
a simple P4 2.4, ASUS motherboard with 720mb of PC 3700 DDR Ram, 80GB
IDE drive for a MYSQL server, I have 3 remote snort boxes writting to
this database and it works flawlessly.  

 The only time it really has to do any performance is when I looking
through the events with snortcenter and it does very well at that. I
know your looking into a RAID setup but something around the same
performance as mine should be fine. Ive run it on alot less but I had to
be more patient when looking through the database too.

 I also recommend Sentinix Linux as the OS to use, it will save you
*alot* of setup time and has no desktop GUI overhead on the server (you
can use webmin if you want a GUI).
www.sentinix.org

have fun,
Michael

-----Original Message-----
From: Mike Cohen <mike () antropyinc com>
Sent: Mar 4, 2004 1:54 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Question about best hardware

Hi Folks, 

Im am beginning snort user, and I have been asked to spec a production
snort
server to do the following:

Monitor all traffic in and out of a relatively busy Mail Server(300
users).
The mail server is on a gigabit link and is usually at about 300mbs
average
usage, it rarely gets super saturated.

I will be storing the logs on the snort box itself and I have to use a
hardware raid solution.

I am told I must spec an HP brand server and I have the following
questions.

1. I thought I remembered reading that Opterons have an advantage when
trying to sniff gigabit traffic , but I have never used an opteron, and
as
an intermediate Linux User Im not entirely confident trying to force
linux
to work on a new architecture, are there any problems with linux and
snort
on an opteron.

2. How much memory do I need? I specd 1gb, is this sufficient for high
usage?

3. Which distro is best for an intermediate level Linux user? I know
that
there is no cut and dry answer to this question, but if anyone has any
insight on using snort on a RAID 1 box , using an opteron on gigabit
please
chime in.

If anyone has any other insights as to recommended hardware please let
me
know.

Thanks.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Question about best hardware Mike Cohen (Mar 04)
- Re: Question about best hardware Michael Sconzo (Mar 04)
- <Possible follow-ups>
- Re: Question about best hardware M. Morgan (Mar 05)
- RE: Question about best hardware Kreimendahl, Chad J (Mar 05)
  - RE: Question about best hardware Jason Haar (Mar 07)
    - RE: Question about best hardware Josh Berry (Mar 08)
    - Re: Question about best hardware Michael Stone (Mar 09)
    - RE: Question about best hardware AJ Butcher, Information Systems and Computing (Mar 09)
    - RE: Question about best hardware Josh Berry (Mar 10)
    - RE: Question about best hardware AJ Butcher, Information Systems and Computing (Mar 11)
  - Re: Question about best hardware Sigurd Urdahl (Mar 12)
- RE: Question about best hardware SN ORT (Mar 08)
- RE: Question about best hardware Michael Miller (Mar 08)
  - RE: Question about best hardware Josh Berry (Mar 10)

(Thread continues...)