[Snort-users] Sizing a machine for Snort

Erek Adams erek at ...577...
Tue Sep 18 23:07:02 EDT 2001

On Tue, 18 Sep 2001, Muscat, Tyrone J. wrote:

> I am considering installing a IDS based on Snort

And a Dandy Choice it is too!

> My Operating System will probably be Solaris 8 (Management does not care for
> Linux)

At least your management seems to have a clue about stable OS'es.  *duck*
(Sorry, I'm a Solaris Bigot--I've gotta take the ocasional Linux pot-shot!)

> How much disk space is a good starting point for logs...

As much as you want to keep.  ;-)  Disks are cheap.  Buy a 10+gig SCSI drive
and go to town!

> How much disk space for a MySQL Database setup...

Again, as much as you want!  Get as much as they will fund!  If they will
support a RAID 1+0 at 100GB then take it and don't look back!

Just be sure that your central console has 10x-15x the disk that your sensors
have.  You need to hang onto the data for correlation and analysis.

> I looked through the archives but I did not find any mention on disk
> space....
> Should I log all the traffic or just the alerts

That depends.  If you're following the SHADOW model, then log it all and use
BPF filters to clear the cruft.

If you're using the Snort model, only log alerts.  That's all you're really
interested in...

> My end goal is to log alerts to a web page and be able to produce a few
> charts for management to prove that security is important.

ACID.  More ACID.  Oh, wait...  That might be hard to sell to management...
;-)  Seriously, check out http://acidlabs.sourceforge.net/  It's well worth
the time for setup with MySQL and PHP.  Besides, it produces 'mangement
friendly' information (web pages with charts and pictures).

Hope this helps!

Erek Adams

More information about the Snort-users mailing list