[Snort-users] Hardware requireds...

Franki frankieh at ...2806...
Tue Oct 2 14:04:01 EDT 2001


using your below mentioned details,,,

what sort of bandwidth would a  1.4gig athlon 512mb and 60gig ATA100 7200rpm
IBM drive 2x10/100 nic's running 2.4.x linux  be able to handle with a
fairly normal ruleset??

we have 2 or 3 networks that I'd like to set snort up on,, (or possibly
prelude,, dunno yet, testing will tell.)

and I want to know roughly what sort of machine is suitable for what amount
of traffic its monitoring..

We have a couple of the above listed machines here that are not currently
doing anything else and I was wondering how well they would fair... I
suppose the hard disk and ram would be the letdowns????

anyway, if anyone has that sort of machine running as a snort server, what
sort of connection do you monitor and is your machine handling the load
ok???


rgds

Frankn




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Wednesday, 3 October 2001 4:36 AM
To: SecLists
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Hardware required for monitoring a DS3


On Tue, 2 Oct 2001, SecLists wrote:

> I am wondering if any of you would know what type of Intel machine setup I
> would need to monitor a DS3 at a fairly large sevice provider. The machine
> would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> at peak times... It will also be logging to a remote database.
>
> Also, any idea how much disk space we should plan for? The ruleset would
> not be too stringent as we have many different types of traffic coming
> over that link...

Gee...  A big one?  Seriously, have a look st:

  http://www.snort.org/docs/faq.html#2.10

The honest answer is there is no 'one size fits all' answer.  Best
suggestions
I've seen:

	Good Nic!	--Probably one of the most important..
	Fast Processor	--Probably one of the most important.
	Plenty of RAM	--Some preprocssors chew up RAM.
	Enough Disk	--Enough disk to log X amount of time.
	Plenty of CPU	--More traffic, the bigger the engine needs to be.
	Fast HD Cntrl	--UWSCSI.
	Fast HD's	--Solid State drives rock!
	Backend Nic	--For Admin and logging to remote console.

Now, yes you will spend some cash on this, but do a <cost of 'comapny
secrets'> vs. <box cost> and you'll see real quick that the box is a lot
cheaper!

If you drop that into a box, you're gonna be able to snort a large amount of
packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
years...

A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
:)


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list