[Snort-users] One question

Erek Adams erek at ...577...
Thu Oct 11 17:03:19 EDT 2001

On Thu, 11 Oct 2001, Jake S wrote:

> Is there a doc that gives a rough idea of what type of hardware to use in
> a Y network according to Z amount of traffic?  My boss is looking for
> something to base our hardware purchasing on so that is why I ask.

Marty sent this info over to the list earlier this month.  It's the closest
thing we've got to a definitive guide ATM.


4) Hardware/OS recommendations

Ok, here are the guidelines and some parameters.  Intrusion detection is
turning into one of the most high performance production computing
fields that is in wide deployment today.  If you think about the
requirements of a NIDS sensor and the constraints that they are required
to operate within, you'll probably start to realize that it's not too
hard to find the performance wall with a NIDS these days.

The things a NIDS needs are:

RAM  (More is *always* better)
I/O  (Wide, fast busses and high performance NIC)
AODS (Acres Of Disk Space)

A NIDS also needs to be pretty quick internally at doing its job.
Snort's seen better days in that regard (when 1.5 came out the
architecture was a lot cleaner) but it's still considered to be one of
the performance leaders available.

As for OS selection, use what you like.  When we implement Data
Acquisition Plugin's in Snort 2.0 this may become more of a factor, but
for now I'm hearing about a lot of people seeing alot of success using
Snort on Solaris, Linux, *BSD and Windows 2000.  Personally, I develop
Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance
OS, but I've been hearing some good things about the RedHat Turbo Packet
interface (which would require mods for Snort to use, not to mention my
general objection to RedHat's breaking stuff all the time).


Hope that helps!

Erek Adams

More information about the Snort-users mailing list