[Snort-users] Sizing a system for gigabit backbone

Avleen Vig avleen at ...396...
Tue Oct 31 11:17:56 EST 2000


> > Hiya,
> >
> > I am trying to come up with some hardware recommendations
> > for a new snort IDS system I want to put on my lan. Unfortunaly
> > we are on a totally switched 100mbit network. I can setup a
> > mirror port on one of my switches so I can link up with a
> > giganit nic and sniff the entire lan, but I am totally lost
> > when it comes to sizing a snort system for this level of traffic.
> > I am thinking of going with freebsd or linux since I know I am going
> > to need multiple procs. Would 2 x 1 ghz processors with a gig of ram work?
> > Is anyone running a snort ids at these traffic levels?  Any suggestions?


Whoa whoa whoa!! Talk about overkill :-)

If the machine is going to be dedicated IDS, I would recommend the
following:

1) I assume you are talking about a serious backbone with many IP subnet.
2) You should run one copy of snort per subnet (or range of subnets) to
make log handling much easier.

Even if you have 5 class B subnets, you don't REALLY need more than a
Pentium 300 128Mb of RAM (I think this may be a little overkill too).

Run FreeBSD with each subnet / range of subnets set up as a VLAN on your
IDS box and have a ruleset for each subnet.

Currently for me each copy of snort takes about 6mb of RAM, so adjust your
RAM requirements accordingly.

Have *LOTS* of hard drive space if you are keeping logs and TCPDUMPs (I'm
talking 30Gb+ for that amount of traffic for keeping logs over a week or 
two).

Snort itself takes very little CPU time. I run it to monitor 2 x class C
subnets on a P75 with 8Mb of RAM it's more than happy (FreeBSD OS).
I'm sure I could have it monitoring ten times as much without any real
issues.

As a side note if you're going for FreeBSD and the IDS is going to be
accessable on a network via a second NIC (bad idea) on FreeBSD, upgrade to
the lastest port of TCPDUMP as the last one has root exploitable bugs.
In fact, do this anyway :-)




More information about the Snort-users mailing list