[Snort-users] Sizing a machine for Snort
erek at ...577...
Tue Sep 18 23:07:02 EDT 2001
On Tue, 18 Sep 2001, Muscat, Tyrone J. wrote:
> I am considering installing a IDS based on Snort
And a Dandy Choice it is too!
> My Operating System will probably be Solaris 8 (Management does not care for
At least your management seems to have a clue about stable OS'es. *duck*
(Sorry, I'm a Solaris Bigot--I've gotta take the ocasional Linux pot-shot!)
> How much disk space is a good starting point for logs...
As much as you want to keep. ;-) Disks are cheap. Buy a 10+gig SCSI drive
and go to town!
> How much disk space for a MySQL Database setup...
Again, as much as you want! Get as much as they will fund! If they will
support a RAID 1+0 at 100GB then take it and don't look back!
Just be sure that your central console has 10x-15x the disk that your sensors
have. You need to hang onto the data for correlation and analysis.
> I looked through the archives but I did not find any mention on disk
> Should I log all the traffic or just the alerts
That depends. If you're following the SHADOW model, then log it all and use
BPF filters to clear the cruft.
If you're using the Snort model, only log alerts. That's all you're really
> My end goal is to log alerts to a web page and be able to produce a few
> charts for management to prove that security is important.
ACID. More ACID. Oh, wait... That might be hard to sell to management...
;-) Seriously, check out http://acidlabs.sourceforge.net/ It's well worth
the time for setup with MySQL and PHP. Besides, it produces 'mangement
friendly' information (web pages with charts and pictures).
Hope this helps!
More information about the Snort-users