[Snort-users] Enough Machine for Snort?

Patrick Darden darden at ...710...
Wed Feb 6 12:43:03 EST 2002

I'll translate that 200-300MB to 250Mb/s (hoping to goodness that you
meant Mb not MB, and that you meant per second--not en tot, and
averaging it to 250 just to have a solid number to work with).

250Mb/s /8 =  31MB/s X 60 seconds = 1.875GB/m  X 60 minutes = 112.5GB/hour

Speedwise, you need a disk subsystem capable of *writing* a sustained
average of 31MB/s.  Mirroring is fast for reads, but slow for writes.  The
data isn't that important.  I would do a mirrored disk system for OS and
applications, and a striped system for the logged data.

Capacity, you probably want a week's worth of logging at a time for
spotting progressive directed scans, so you would need 18.9TB of storage
(112.5GB/h * 24 * 7), or if you only have 10 hour work days, you could
safely half that amount to roughly 9TB of storage.  That's about 45 180GB
drives... you'll need a lot of electricity and cooling capability.

SCSI is obviously a necessity.  You might want to use quad channel for
the logging system.  I would also suggest that you get great gige nics,
perhaps that offload the tcp/ip stack from the cpu.  The less interrupts,
ios, and OS level stuff you have to do, the better.

For an operating system, the newest FreeBSD has a lot of tcp/ip tweeks, is
stable, and is a great choice.  Linux is my favorite OS, but the choices
for gige are sparse.  Win 2K Pro is well thought of by some of my
colleagues in-house, but I have never used it.  Solaris would be a good
choice, except to get the benefits you would have to buy the Sun
hardware--I recommend an E450 for the drive bays you will need.

CPU and RAM are fine.

If you just want 24 hours of logs, then it gets a lot easier.  If you
discard all uninteresting packets (and use that definition loosely), then
it gets a LOT easier, but conversely you will not see so many interesting
patterns over time and might miss more subtle attacks.

--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden at ...710...
--                              Athens Regional Medical Center

On Wed, 6 Feb 2002, Hall, Duane wrote:

> I am considering the following configuration:
> Dell Poweredge 1550
> 2 X Pentium III 1.4Ghz w/ 512K Cache
> 2 X 36Gb Ultra3 10K SCSI Hard drive's in Mirror Mode
> Raid Card with 64 MB Cache
> 2 X Broadcom NetXtreme 10/100/1000 NICS
> Would this be enough to log about 200-300 MB traffic from a Gigabit
> Ethernet.
> Thanks
> Duane
> **************************
> Duane Hall
> Security Administrator
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

More information about the Snort-users mailing list