[Snort-users] Enough Machine for Snort?
darden at ...710...
Wed Feb 6 12:43:03 EST 2002
I'll translate that 200-300MB to 250Mb/s (hoping to goodness that you
meant Mb not MB, and that you meant per second--not en tot, and
averaging it to 250 just to have a solid number to work with).
250Mb/s /8 = 31MB/s X 60 seconds = 1.875GB/m X 60 minutes = 112.5GB/hour
Speedwise, you need a disk subsystem capable of *writing* a sustained
average of 31MB/s. Mirroring is fast for reads, but slow for writes. The
data isn't that important. I would do a mirrored disk system for OS and
applications, and a striped system for the logged data.
Capacity, you probably want a week's worth of logging at a time for
spotting progressive directed scans, so you would need 18.9TB of storage
(112.5GB/h * 24 * 7), or if you only have 10 hour work days, you could
safely half that amount to roughly 9TB of storage. That's about 45 180GB
drives... you'll need a lot of electricity and cooling capability.
SCSI is obviously a necessity. You might want to use quad channel for
the logging system. I would also suggest that you get great gige nics,
perhaps that offload the tcp/ip stack from the cpu. The less interrupts,
ios, and OS level stuff you have to do, the better.
For an operating system, the newest FreeBSD has a lot of tcp/ip tweeks, is
stable, and is a great choice. Linux is my favorite OS, but the choices
for gige are sparse. Win 2K Pro is well thought of by some of my
colleagues in-house, but I have never used it. Solaris would be a good
choice, except to get the benefits you would have to buy the Sun
hardware--I recommend an E450 for the drive bays you will need.
CPU and RAM are fine.
If you just want 24 hours of logs, then it gets a lot easier. If you
discard all uninteresting packets (and use that definition loosely), then
it gets a LOT easier, but conversely you will not see so many interesting
patterns over time and might miss more subtle attacks.
--Patrick Darden Internetworking Manager
-- 706.475.3312 darden at ...710...
-- Athens Regional Medical Center
On Wed, 6 Feb 2002, Hall, Duane wrote:
> I am considering the following configuration:
> Dell Poweredge 1550
> 2 X Pentium III 1.4Ghz w/ 512K Cache
> 512MB SDRAM, 2 DIMMS
> 2 X 36Gb Ultra3 10K SCSI Hard drive's in Mirror Mode
> Raid Card with 64 MB Cache
> 2 X Broadcom NetXtreme 10/100/1000 NICS
> Would this be enough to log about 200-300 MB traffic from a Gigabit
> Duane Hall
> Security Administrator
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users