Re: hardware requirements

[Rich Adamson <radamson () routers com>]

The only reason for mentioning the motherboard (etc) is
that people involved with heavy audio apps and asterisk (open
source telephone pbx) have found that some motherboard pci
implementations provide less then stellular bus throughput.
The throughput has had nothing to do with processor speed,
ram, or number of processors.

Based on those observations, I would have to guess the
performance of snort with GigE will vary dramatically from one
machine to another depending upon the exact mobo in use, etc.

I'm certainly not an expert on pci or gige, but have spent a
fair amount of professional time conducting network performance
assessments for clients in 40+ states. I have not yet seen any 
gige implementation that could actually drive the nic interface 
at anything close to rated speed in a production environment. 
(Note: there are probably some somewhere, but I've not seen 
them, and I've been exposed to a large number of implementations.)

As a strang recent example, we're trying to identify why a
specific client's server with two gige interfaces cannot sustain
traffic throughput greater then 170,000 bits/sec through a single
interface. We've double-checked all the basic stuff, and there
are no errors or discards happening anywhere, including the 
correctly configured cisco switch that it attachs to. We'll find
the issue, but we're just not there as yet.

So, given the above and trying to relate back to the original
post relative to recommended hardware to support snort with gige,
I don't know that anyone can truly recommend something without
qualifying the system (DL380) in use (or Mobo), and at what traffic 
volumes snort begins to drop packets. I'd be very confident the 
throughput is substantially less then gige speeds, and I wouldn't 
be a bit surprised to hear dropped packets occurring at 
throughputs less then 25% to 50%.

Rich
------------------------
> True.  
>
> We used the entire rule set and then singled it down
> to worms, virus, and porn related entries.
>
> Motherboard:  Humm... I used a DL380 for the Snort
> install.  Got no idea about the motherboard.
>
> Theo
>
> --- Rich Adamson <radamson () routers com> wrote:
>
> > Right, so his original question should be reworded
> > to be
> > oriented towards when will snort begin dropping
> > packets,
> > etc. I've not seen anyone try to qualify
> > motherboards, etc,
> > under different traffic loads, rule sets, etc.
> >
> > ------------------------
> > > Rich,
> > >
> > > Yes this is true however most people use GigE
> > Cards
> > > for traffic environments where major traffic, ie
> > 1000
> > > Meg traffic,  is expected....
> > >
> > > Theo
> > >
> > > --- Rich Adamson <radamson () routers com> wrote:
> > >
> > > > > Greetings, I would like to know if anyone has
> > any
> > > > hardware recommendations to run SNORT on. 
> > > > specifically im looking to put a GigE NIC in a
> > > > > box and would like to know how fast a CPU and
> > > > memory etc etc.
> > > >
> > > > Just about any box will work, however what you
> > > > really want to know
> > > > is... at what level of traffic will snort begin
> > to
> > > > drop packets.
> > > > In other words, its traffic volume dependent,
> > not
> > > > GigE dependent.
> > > >
> > > > I've got several Win32 boxes running just fine
> > on
> > > > boxes that came
> > > > with GigE ports, but the traffic volumes at
> > those
> > > > locations are so
> > > > low that snort could have been using a 10meg
> > port.
> > > >
> -------------------------------------------------------
> > > > The SF.Net email is sponsored by: Beat the
> > > > post-holiday blues
> > > > Get a FREE limited edition SourceForge.net
> > t-shirt
> > > > from ThinkGeek.
> > > > It's fun and FREE -- well,
> > > > almost....http://www.thinkgeek.com/sfshirt
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or
> > > > unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > >
> > >
> > >           
> > > __________________________________ 
> > > Do you Yahoo!? 
> > > All your favorites on one personal page ETry My
> > Yahoo!
> > > http://my.yahoo.com 
> >
> > ---------------End of Original
> > Message-----------------
> -------------------------------------------------------
> > The SF.Net email is sponsored by: Beat the
> > post-holiday blues
> > Get a FREE limited edition SourceForge.net t-shirt
> > from ThinkGeek.
> > It's fun and FREE -- well,
> > almost....http://www.thinkgeek.com/sfshirt
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> > unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
>               
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Mail - Find what you need with new enhanced search.
> http://info.mail.yahoo.com/mail_250

---------------End of Original Message-----------------




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users