[Snort-users] performance snort question

Thomas Whipp tkw at ...1885...
Tue Jun 19 05:16:07 EDT 2001


and of course you need to know what ruleset/pre-processors
you are using... I haven't done any serious benchmarking
(all me sensors have a lot of headroom just now).

Anyone have any thoughts as to a "minimal" ruleset - perhaps
<100 rules and concentrating on actual attacks and generic
rules (such as the x86 NOOP rule)?

	Tom

> -----Original Message-----
> From: Lee Smallbone [mailto:lee at ...2318...]
> Sent: 19 June 2001 09:58
> To: Snort-users at lists.sourceforge.net
> Subject: Re[2]: [Snort-users] performance snort question
> 
> 
> Tuesday, June 19, 2001, 8:44:42 AM, you wrote:
> 
> EHS> I haven't seen an answer to Roeland's questions so
far.  I am
> EHS> currently considering building a snort box wich
should be able to
> EHS> withstand a saturated 100mbps in worst-case, and have

> been unable to
> EHS> find even the slightest hint on what hardware 
> requirement would be
> EHS> needed to do that.
> 
>  The author seems fairly sure that a 486 should be able to
keep up
>  with a 100mbit/s link. I'd go one step further and use
the following
>  configuration so I know it would be there if it was
needed:
> 
>                o) old pentium of some sort (P90/100)
>                o) 32-64mb ram
>                o) Large disk to cope with logs (pref SCSI
or ATA100)
>                o) Decent, trusted 100mbit/s NIC
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list