On Wed, 3 Oct 2001, Franki wrote:

> what sort of bandwidth would a  1.4gig athlon 512mb and 60gig ATA100 7200rpm
> IBM drive 2x10/100 nic's running 2.4.x linux  be able to handle with a
> fairly normal ruleset??

Your first bottleneck will be the disk sub-system.

What _type_ of NIC?  Intel Pro's seem to have a rather good following...

> we have 2 or 3 networks that I'd like to set snort up on,, (or possibly
> prelude,, dunno yet, testing will tell.)
> and I want to know roughly what sort of machine is suitable for what amount
> of traffic its monitoring..

What is the sustained transfer rate of all the nets combined?  That's

> We have a couple of the above listed machines here that are not currently
> doing anything else and I was wondering how well they would fair... I
> suppose the hard disk and ram would be the letdowns????

HD Yes.  RAM No.  Hell, I've seen Snort kick some serious ass on a Sparc 5
(70mhz) off of a T1.  It got a sustained 20-40mbs and did just fine.

> anyway, if anyone has that sort of machine running as a snort server, what
> sort of connection do you monitor and is your machine handling the load
> ok???

Well, lets say that in the real world, I can't talk about it.  ;-)  In the
"TEST LAB" I've had a Sparc E450 sucking packets from 10 (440R's).  Using a GB
and 100mb interface, it does just dandy.  Of course, YMMV depending on users
habits, how you tune your rules, etc...

It's almost a crap shoot.  :)  Roll one of those out and see what it does.  I
would honestly suggest Free or OpenBSD on it though.  TCP/IP stack has a
better performance than Linux--Or maybe I'm just biased.  ;-}

Good Luck!

Erek Adams

