[Snort-users] advice on scaling / performance

Joseph Nicholas Yarbrough nyarbrough at ...262...
Tue Jun 19 09:00:50 EDT 2001


I have a question concerning performance. I searched the archives and wonder 
if this info is up to date. As base information, we will use 99% of the 
snort.org ruleset. Our original idea was 4 network cards with a cable running 
from each to an important part of the network (inside & outside firewall, 
service net, and some side network). We would be running a single instance of 
Snort running on each interface. Comments or suggestion?

How powerfull of a system should we use to be able to process all this data 
(at full loads if needed) on a 100mbps network?

Everyone seemed very sure that I should use "high quality" cards with "good" 
driver support for your platform. I have been unable to find a network 
performance review for Linux (our target platform). I have gathered from 
newsgroups, which are known for spreading complete garbage, that I should use 
Intel cards and not use 3com cards on Linux. Anyone have a clue? Perhaps a  
link to a review?

I planned a rackmount system with:
Intel Pentium III 850mhz (256k cache)
Intel eepro100 NIC
128MB sdram
20GB ATA/100 card
Mandrake Linux (perhaps 7.1?)

Which kernel version should I use? I would like to have 2.4 for netfilter, 
but should I use 2.2 for some reason?

Would it be a better idea to build a smaller box for each interface we want 
to monitor?

Feel free to ignore any stupid questions, and only answer questions you have 
time for. I don't want to chew up everyone's time with my constant badgering.

Thanks for Snort guys,
-Nick




More information about the Snort-users mailing list