[Snort-users] How much machine do I need to run snort?

Abe L. Getchell abegetchell at ...530...
Thu Jan 31 09:31:05 EST 2002


Hi Greg,

With that much traffic, if you have the cash, check out the TopLayer
AS3500 (http://www.toplayer.com/) and load-balance the traffic across an
array of sensors.  You'll get much more reliable results than trying to
monitor this traffic with one, or a couple, of stand-alone sensors.  It
also lets you do things like send certain kinds of traffic to certain
sensors which are tuned to monitor a specific kind of traffic; send all
HTTP to a sensor (or a group of sensors) only checking HTTP, for
example.  If you have a protocol break-down of your network traffic,
this will allow you to specifically tune sensors to monitor certain
kinds of traffic and mirror that traffic from your network to the
appropriate sensor.

In terms of sensor configuration, just make sure you have fast
processors, lots of memory, a fast disk subsystem, and you should be
fine.  What architecture and OS are you going to be deploying your
sensors on?  It might help for us to know this if you want any specific
suggestions.

Try searching the archives to see how people are approaching a
centralized management structure while using Snort, it's been discussed
here before at length.  In short, yes you can do it, about twenty
different ways. =)

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Greg Schmidt
> Sent: Wednesday, January 30, 2002 3:47 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] How much machine do I need to run snort?
> 
> 
> I have a class B network with with 3 core switches that 
> handle about 20,000 nodes.  
> How big of a box do I need to handle this?  I am looking at 1 
> box for each 2 core 
> switches and a 2 boxes for the main core switch, which has a 
> 90 Mb/s Internet 
> connection and a 45 Mb/s I2 connection.  Also, can I take the 
> data from the 4 
> machines, and route it all back to a main "management 
> console"? Thanks for the help.- Greg Schmidt, Manager Network 
> Technology Services - Software Licensing Washington 
> University in St. Louis One Brookings Drive, Campus Box 1048 
> Prince Hall, Room 112 St. Louis, MO 63130
> Phone (314) 935-7049   Fax (314) 935-7142
> gschmidt at ...4736...     http://sl.wustl.edu
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list