[Snort-users] Hardware required for monitoring a DS3

bthaler at ...2720... bthaler at ...2720...
Tue Oct 2 13:54:02 EDT 2001


Not sure how much help this will be, but here's my setup:

Connection = 45MB T3 avg usage 80%-90%
Hardware = Dual PII 500 MHz SMP, 256MB RAM, Kingston KNE100TX NICs
Software = WinNT4.0SP6, MySQL(NT) on a remote machine (Dual P3 700MHz 256MB)

Surprisingly, snort seems to use the same amount of proc and memory regardless of the amount of
traffic passing through it.  It uses around 7MB of memory, and 50% of one processor (the SMP was
overkill as Snort only uses 1 processor) weather I'm jamming 45MB down it's throat, or less traffic.

It used to bog down quite a bit, but that was running Snort and MySQL on the same machine, and Acid.
It would crawl and drop packets every time a large query was made via acid.  So now I've moved the
DB to its own box, and the onle thing running on the Snort box is Snort.

I'm not sure about the HD requirements, since I'm only logging to the DB, but the lean nature of
OpenBSD should help out in that regard.

Regards,
Brad T.
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "SecLists" <lists at ...2257...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 02, 2001 4:36 PM
Subject: Re: [Snort-users] Hardware required for monitoring a DS3


> On Tue, 2 Oct 2001, SecLists wrote:
>
> > I am wondering if any of you would know what type of Intel machine setup I
> > would need to monitor a DS3 at a fairly large sevice provider. The machine
> > would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> > at peak times... It will also be logging to a remote database.
> >
> > Also, any idea how much disk space we should plan for? The ruleset would
> > not be too stringent as we have many different types of traffic coming
> > over that link...
>
> Gee...  A big one?  Seriously, have a look st:
>
>   http://www.snort.org/docs/faq.html#2.10
>
> The honest answer is there is no 'one size fits all' answer.  Best suggestions
> I've seen:
>
> Good Nic! --Probably one of the most important..
> Fast Processor --Probably one of the most important.
> Plenty of RAM --Some preprocssors chew up RAM.
> Enough Disk --Enough disk to log X amount of time.
> Plenty of CPU --More traffic, the bigger the engine needs to be.
> Fast HD Cntrl --UWSCSI.
> Fast HD's --Solid State drives rock!
> Backend Nic --For Admin and logging to remote console.
>
> Now, yes you will spend some cash on this, but do a <cost of 'comapny
> secrets'> vs. <box cost> and you'll see real quick that the box is a lot
> cheaper!
>
> If you drop that into a box, you're gonna be able to snort a large amount of
> packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
> 1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
> years...
>
> A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
> :)
>
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list