[Snort-users] Hardware requireds...
erek at ...577...
Tue Oct 2 17:52:01 EDT 2001
On Wed, 3 Oct 2001, Franki wrote:
> what sort of bandwidth would a 1.4gig athlon 512mb and 60gig ATA100 7200rpm
> IBM drive 2x10/100 nic's running 2.4.x linux be able to handle with a
> fairly normal ruleset??
Your first bottleneck will be the disk sub-system.
What _type_ of NIC? Intel Pro's seem to have a rather good following...
> we have 2 or 3 networks that I'd like to set snort up on,, (or possibly
> prelude,, dunno yet, testing will tell.)
> and I want to know roughly what sort of machine is suitable for what amount
> of traffic its monitoring..
What is the sustained transfer rate of all the nets combined? That's
> We have a couple of the above listed machines here that are not currently
> doing anything else and I was wondering how well they would fair... I
> suppose the hard disk and ram would be the letdowns????
HD Yes. RAM No. Hell, I've seen Snort kick some serious ass on a Sparc 5
(70mhz) off of a T1. It got a sustained 20-40mbs and did just fine.
> anyway, if anyone has that sort of machine running as a snort server, what
> sort of connection do you monitor and is your machine handling the load
Well, lets say that in the real world, I can't talk about it. ;-) In the
"TEST LAB" I've had a Sparc E450 sucking packets from 10 (440R's). Using a GB
and 100mb interface, it does just dandy. Of course, YMMV depending on users
habits, how you tune your rules, etc...
It's almost a crap shoot. :) Roll one of those out and see what it does. I
would honestly suggest Free or OpenBSD on it though. TCP/IP stack has a
better performance than Linux--Or maybe I'm just biased. ;-}
More information about the Snort-users