[Snort-users] advice on scaling / performance
jlewis at ...1831...
Tue Jun 19 09:20:23 EDT 2001
You do realize with that configuration, you have created a gateway to each
The performance thing is based on traffic and load. If you have dual T-3's,
500 servers and 10,000 internal clients, I don't think that box can keep up.
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Joseph
Sent: Tuesday, June 19, 2001 9:01 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] advice on scaling / performance
I have a question concerning performance. I searched the archives and wonder
if this info is up to date. As base information, we will use 99% of the
snort.org ruleset. Our original idea was 4 network cards with a cable
from each to an important part of the network (inside & outside firewall,
service net, and some side network). We would be running a single instance
Snort running on each interface. Comments or suggestion?
How powerfull of a system should we use to be able to process all this data
(at full loads if needed) on a 100mbps network?
Everyone seemed very sure that I should use "high quality" cards with "good"
driver support for your platform. I have been unable to find a network
performance review for Linux (our target platform). I have gathered from
newsgroups, which are known for spreading complete garbage, that I should
Intel cards and not use 3com cards on Linux. Anyone have a clue? Perhaps a
link to a review?
I planned a rackmount system with:
Intel Pentium III 850mhz (256k cache)
Intel eepro100 NIC
20GB ATA/100 card
Mandrake Linux (perhaps 7.1?)
Which kernel version should I use? I would like to have 2.4 for netfilter,
but should I use 2.2 for some reason?
Would it be a better idea to build a smaller box for each interface we want
Feel free to ignore any stupid questions, and only answer questions you have
time for. I don't want to chew up everyone's time with my constant
Thanks for Snort guys,
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users