[Snort-users] Hardware required for monitoring a DS3
brandon at ...3618...
brandon at ...3618...
Tue Oct 2 14:07:02 EDT 2001
On Tue, Oct 02, 2001 at 01:36:05PM -0700, Erek Adams wrote:
> On Tue, 2 Oct 2001, SecLists wrote:
> > I am wondering if any of you would know what type of Intel machine setup I
> > would need to monitor a DS3 at a fairly large sevice provider. The machine
> > would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> > at peak times... It will also be logging to a remote database.
> > Also, any idea how much disk space we should plan for? The ruleset would
> > not be too stringent as we have many different types of traffic coming
> > over that link...
> Gee... A big one? Seriously, have a look st:
> The honest answer is there is no 'one size fits all' answer. Best suggestions
> I've seen:
> Good Nic! --Probably one of the most important..
> Fast Processor --Probably one of the most important.
> Plenty of RAM --Some preprocssors chew up RAM.
> Enough Disk --Enough disk to log X amount of time.
> Plenty of CPU --More traffic, the bigger the engine needs to be.
> Fast HD Cntrl --UWSCSI.
> Fast HD's --Solid State drives rock!
> Backend Nic --For Admin and logging to remote console.
> Now, yes you will spend some cash on this, but do a <cost of 'comapny
> secrets'> vs. <box cost> and you'll see real quick that the box is a lot
> If you drop that into a box, you're gonna be able to snort a large amount of
> packets. Just get 4x the box you think. If it's 400mhz on the table, get a
> 1.2k cpu. I know it sounds crazy, but it's easier not to rebuild every 2
> A Sun Netra X1 would be nice, or even a Netra T1. Intel is not required...
We have a few DS3's and are averaging an aggregate of about 40MBit of them.
I have recently been evaluating upgrading. We tried a Sun Netra T1/500MHz
and it was slower than our existing P3/850Mhz. I also had some problems
because it appeared to actually process less packets but did not record ANY
lost packets, compared to our FreeBSD box on intel. With a few minute
span each on the same hub recording the same data the Intel/BSD box
recorded about 2.3mil packets with less than 1 % loss and the SUn
recorded about 1.5 mil packets with zero loss. We have since
disregarded the sun as a viable option. What we did end up deciding
on was a Dual Athalon MP core at 1.2GHz. We are buying the eracks
More information about the Snort-users