[Snort-users] Sizing a system for gigabit backbone
avleen at ...396...
Tue Oct 31 11:17:56 EST 2000
> > Hiya,
> > I am trying to come up with some hardware recommendations
> > for a new snort IDS system I want to put on my lan. Unfortunaly
> > we are on a totally switched 100mbit network. I can setup a
> > mirror port on one of my switches so I can link up with a
> > giganit nic and sniff the entire lan, but I am totally lost
> > when it comes to sizing a snort system for this level of traffic.
> > I am thinking of going with freebsd or linux since I know I am going
> > to need multiple procs. Would 2 x 1 ghz processors with a gig of ram work?
> > Is anyone running a snort ids at these traffic levels? Any suggestions?
Whoa whoa whoa!! Talk about overkill :-)
If the machine is going to be dedicated IDS, I would recommend the
1) I assume you are talking about a serious backbone with many IP subnet.
2) You should run one copy of snort per subnet (or range of subnets) to
make log handling much easier.
Even if you have 5 class B subnets, you don't REALLY need more than a
Pentium 300 128Mb of RAM (I think this may be a little overkill too).
Run FreeBSD with each subnet / range of subnets set up as a VLAN on your
IDS box and have a ruleset for each subnet.
Currently for me each copy of snort takes about 6mb of RAM, so adjust your
RAM requirements accordingly.
Have *LOTS* of hard drive space if you are keeping logs and TCPDUMPs (I'm
talking 30Gb+ for that amount of traffic for keeping logs over a week or
Snort itself takes very little CPU time. I run it to monitor 2 x class C
subnets on a P75 with 8Mb of RAM it's more than happy (FreeBSD OS).
I'm sure I could have it monitoring ten times as much without any real
As a side note if you're going for FreeBSD and the IDS is going to be
accessable on a network via a second NIC (bad idea) on FreeBSD, upgrade to
the lastest port of TCPDUMP as the last one has root exploitable bugs.
In fact, do this anyway :-)
More information about the Snort-users