[Snort-users] snort optimization

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Thu Jan 18 02:09:52 EST 2001


I have a PII 400 256MB Ram with the snortfull.conf listening on a single 100Mb
link mirrored off the switch.  The network doesn't even get to 30Mb/s of use
and the box is so overloaded processor wise that it is very sluggish to
respond even to commands like top.  Since this is just a feasability test here
the data isn't analyzed much, but my bosses were surprised at just how much
data the box is collecting (clocking around 2-4MB/min of alerts).  Now that I
got it logging to a local SQL database (mysql) the next step is to get it
logging to a remote db, which isn't working so far, and then start determining
what we really need to monitor and see about getting boxen that can take the
load.  I'm just curious if snort is multithreaded so that it can take
advantage of a multi cpu setup.

> You should probably be able to do a pretty good job with any low end
> system today (subject to the number of rules you're going to run, of
> course).  Something like a Celeron 466+ with 64MB of RAM on a dedicated
> system should be just fine for that level of traffic.

> > Please forgive the newbie question, but what sort of processing power is
> > required to efficiently handle a "busy network segment"? For instance, I
> > am planning a Snort installation to watch a network that typically hangs
> > around 25 Mb/s, and I'm not sure how large of a system will be
> > necessary. I know, this is listed in the FAQ, but the answer seems
> > more oriented towards troubleshooting than capacity planning.





More information about the Snort-users mailing list