[Snort-users] Hardware required for monitoring a DS3

Erek Adams erek at ...577...
Tue Oct 2 13:37:02 EDT 2001


On Tue, 2 Oct 2001, SecLists wrote:

> I am wondering if any of you would know what type of Intel machine setup I
> would need to monitor a DS3 at a fairly large sevice provider. The machine
> would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> at peak times... It will also be logging to a remote database.
>
> Also, any idea how much disk space we should plan for? The ruleset would
> not be too stringent as we have many different types of traffic coming
> over that link...

Gee...  A big one?  Seriously, have a look st:

  http://www.snort.org/docs/faq.html#2.10

The honest answer is there is no 'one size fits all' answer.  Best suggestions
I've seen:

	Good Nic!	--Probably one of the most important..
	Fast Processor	--Probably one of the most important.
	Plenty of RAM	--Some preprocssors chew up RAM.
	Enough Disk	--Enough disk to log X amount of time.
	Plenty of CPU	--More traffic, the bigger the engine needs to be.
	Fast HD Cntrl	--UWSCSI.
	Fast HD's	--Solid State drives rock!
	Backend Nic	--For Admin and logging to remote console.

Now, yes you will spend some cash on this, but do a <cost of 'comapny
secrets'> vs. <box cost> and you'll see real quick that the box is a lot
cheaper!

If you drop that into a box, you're gonna be able to snort a large amount of
packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
years...

A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
:)


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list