[Snort-users] Hardware required for monitoring a DS3

brandon at ...3618... brandon at ...3618...
Tue Oct 2 14:07:02 EDT 2001

On Tue, Oct 02, 2001 at 01:36:05PM -0700, Erek Adams wrote:
> On Tue, 2 Oct 2001, SecLists wrote:
> > I am wondering if any of you would know what type of Intel machine setup I
> > would need to monitor a DS3 at a fairly large sevice provider. The machine
> > would be running OpenBSD 2.9. The DS3 is typically at about 60-70% usage
> > at peak times... It will also be logging to a remote database.
> >
> > Also, any idea how much disk space we should plan for? The ruleset would
> > not be too stringent as we have many different types of traffic coming
> > over that link...
> Gee...  A big one?  Seriously, have a look st:
>   http://www.snort.org/docs/faq.html#2.10
> The honest answer is there is no 'one size fits all' answer.  Best suggestions
> I've seen:
> 	Good Nic!	--Probably one of the most important..
> 	Fast Processor	--Probably one of the most important.
> 	Plenty of RAM	--Some preprocssors chew up RAM.
> 	Enough Disk	--Enough disk to log X amount of time.
> 	Plenty of CPU	--More traffic, the bigger the engine needs to be.
> 	Fast HD Cntrl	--UWSCSI.
> 	Fast HD's	--Solid State drives rock!
> 	Backend Nic	--For Admin and logging to remote console.
> Now, yes you will spend some cash on this, but do a <cost of 'comapny
> secrets'> vs. <box cost> and you'll see real quick that the box is a lot
> cheaper!
> If you drop that into a box, you're gonna be able to snort a large amount of
> packets.  Just get 4x the box you think.  If it's 400mhz on the table, get a
> 1.2k cpu.  I know it sounds crazy, but it's easier not to rebuild every 2
> years...
> A Sun Netra X1 would be nice, or even a Netra T1.  Intel is not required...
> :)

We have a few DS3's and are averaging an aggregate of about 40MBit of them.
I have recently been evaluating upgrading.  We tried a Sun Netra T1/500MHz
and it was slower than our existing P3/850Mhz.  I also had some problems
because it appeared to actually process less packets but did not record ANY
lost packets, compared to our FreeBSD box on intel.  With a few minute
span each on the same hub recording the same data the Intel/BSD box
recorded about 2.3mil packets with less than 1 % loss and the SUn
recorded about 1.5 mil packets with zero loss.  We have since
disregarded the sun as a viable option.  What we did end up deciding
on was a Dual Athalon MP core at 1.2GHz.  We are buying the eracks
version (http://www.eracks.com).


More information about the Snort-users mailing list