[Snort-users] advice on scaling / performance
Joseph Nicholas Yarbrough
nyarbrough at ...262...
Tue Jun 19 09:00:50 EDT 2001
I have a question concerning performance. I searched the archives and wonder
if this info is up to date. As base information, we will use 99% of the
snort.org ruleset. Our original idea was 4 network cards with a cable running
from each to an important part of the network (inside & outside firewall,
service net, and some side network). We would be running a single instance of
Snort running on each interface. Comments or suggestion?
How powerfull of a system should we use to be able to process all this data
(at full loads if needed) on a 100mbps network?
Everyone seemed very sure that I should use "high quality" cards with "good"
driver support for your platform. I have been unable to find a network
performance review for Linux (our target platform). I have gathered from
newsgroups, which are known for spreading complete garbage, that I should use
Intel cards and not use 3com cards on Linux. Anyone have a clue? Perhaps a
link to a review?
I planned a rackmount system with:
Intel Pentium III 850mhz (256k cache)
Intel eepro100 NIC
20GB ATA/100 card
Mandrake Linux (perhaps 7.1?)
Which kernel version should I use? I would like to have 2.4 for netfilter,
but should I use 2.2 for some reason?
Would it be a better idea to build a smaller box for each interface we want
Feel free to ignore any stupid questions, and only answer questions you have
time for. I don't want to chew up everyone's time with my constant badgering.
Thanks for Snort guys,
More information about the Snort-users