Re: Snort CPU usage

[Josh Bitto <jbitto () onlineschool ca>]

 the main question is the size of your internet pipe...

The size is 50 down 10 up….but those are just ISP numbers…Production would be lower at peak times.

> Each would have an interface to monitor, but where I’m stuck is the
> rule sets…

in what way? i have a site with a lowly 800mhz PIII with 4 LANs (not VLANs!) that runs well over half of the rules i 
have available... those rules are from two rules providers... that machine has 768M of RAM and is a single core 
system... but the pipe for that site is a lowly 3Meg DSL line... there are times that some packets are flushed and lost 
but that's due to the quantity of traffic in the pipe... so, not only is the size of the pipe necessary but also the 
speed and cores of your hardware...


I probably should go into more detail…..We use Pfsense as our firewall and in that entity you can “install” snort as a 
package.  That being said when you manage each interface you want snort to run on there is a file created in the snort 
folder for each interface named and in those folders are a set up rules preprocessors and sigs……But! In the main snort 
folder there is also a set of rules preprosessors and sigs. So my question really is for each interface and having its 
own folders for rules and such would all those be considered or just “one” set of rules for all interfaces to go 
through?
> I read online where a great determining calculation is this…
>
> 1 CPU = (1000 signatures ) * (500 megabits network traffic)

i don't know that i can agree with this... see above ;)
Idk….I got it from the internets so it must be right O.O

> So my question would be….if each interface has its own rule set aside
> from the main download of rules. Does that factor in?

why would you do that? i mean, i guess there is some traffic on one interface that you don't care to alert on but... 
hummm... ;)
I think my above explanation answers this.


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!