[Snort-users] snort optimization

Martin Roesch roesch at ...421...
Thu Jan 18 01:44:11 EST 2001


You should probably be able to do a pretty good job with any low end
system today (subject to the number of rules you're going to run, of
course).  Something like a Celeron 466+ with 64MB of RAM on a dedicated
system should be just fine for that level of traffic.

    -Marty

Kyle R Maxwell wrote:
> 
> Please forgive the newbie question, but what sort of processing power is
> required to efficiently handle a "busy network segment"? For instance, I
> am planning a Snort installation to watch a network that typically hangs
> around 25 Mb/s, and I'm not sure how large of a system will be
> necessary. I know, this is listed in the FAQ, but the answer seems
> more oriented towards troubleshooting than capacity planning.
> 
> On Mon, 15 Jan 2001, Avleen Vig wrote:
> 
> > The answer to both your questions is "no".
> > I'll be VERY suprised is snort drops any packets on that setup, and you
> > don't need anything more for a "more complete capture".
> >
> > ----- Original Message -----
> > From: "Deja User" <malzubs at ...479...>
> > To: <snort-users at lists.sourceforge.net>
> > Sent: Monday, January 15, 2001 7:00 PM
> > Subject: [Snort-users] snort optimization
> >
> >
> > > What is the fastest, most complete was to run snort.  I have a busy
> > network segment that I?m spanning and sending to the snort IDS.
> > > I downloaded the complete rule file from snort.org "snortfull.conf"
> > > So here is what I have
> > > snort -A full -b -c snortfull.com -i eth0 -l /LOG/snort
> > >
> > > Is there anything I can do to make it faster and not drop any traffic?
> > > Also, the snortfull.conf does not include any library references, is there
> > anything I can do to make my capture more complete?
> > >
> 
> --
> Kyle R Maxwell
> kmaxwell at ...1146...
> Superpages.com Sys Admin
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list