[Snort-users] minimum requirements?

John Sage jsage at ...2022...
Sat Jul 27 19:38:02 EDT 2002


On Sat, Jul 27, 2002 at 04:01:09PM -0500, Neal Hamilton wrote:
> I cant find any documentation on what would be a starting point for cpu/mem 
> requirements. The machines spare machines i have rummaged up for this 
> project are the following:

One of those sorts of questions that mainly get answered "It

The general snort answer:

1) how many, and what sort of rules will you be running? "Fewer" is
better, but what's "fewer"...

2) what kind of logging will you be doing?  -b binary logging is by
far fastest; logging to a console is slow.

3) what else is running on the snort host? Database; web server; etc

> 1. The sensor that will be running snort (266mhz pent2 with 396meg ram).
>      The sensor is on a ipf/openbsd bridge with 3 interfaces. 2 of the 
> interfaces will be in bridge mode with no ip address. Of the 2 stealth 
> interfaces only one, the one connected to the cable modem, will be running 
> as a snort sensor and  will have no firewall rules associated with it as i 
> want to see everything and filtering would make the snort sensor usless. 
> The other stealth interface will be connected to the nat router from my lan 
> and will not be a sensor but will have some filters applied to it.

> Is the above acceptable for a cable modem 10/100 network?

I'd think, absolutely, but see: 1), 2), and 3), above.

I'm running snort on a firewall/router, a Pentium 150 classic with
96mb RAM out of a modem, for a 10/100 LAN with four other boxes back
behind, and snort never breaks a sweat.

I *am* binary logging, and logging to syslog, and I'm also alerting to
a MySQL database off on another host..

I'm running snort against most all of the stock rules, and maybe an
additional 75 more custom rules that essentially alert or log

My snort host is also running a caching-only nameserver, tcpdump on
two interfaces, xntpd, emacs, but *not* X -- it's CLI only..

> 2. The PureSecure Console running mysql and apache. note: server will not 
> be running snort, the main sensor is the box mentioned above. The machine i 
> have picked up for this is a (500mhz amd with 256 megs of pc-100 ram and a 
> 80gig ata100 hd.) is this enough power for currently one sensor and maybe 
> another latter?

I'm running ACID/MySQL on an AMD K6-2 500, 256mb RAM, that's running
a lot of other stuff, and it never breaks a sweat, either. OS = RHL 7.2 

> The OS i have chosen for the sensor (bridge) is OpenBSD 3.1.
> The OS i have chosen for the Mysql database and apache server is Redhat 
> linux 7.2, because there will be another app running on this box that only 
> runs on rdh linux...so i have to use it. The app does not use much 
> cpu/memory sometime i cant even tell its running because it has such a 
> small foot print.
> Any advice, help, guidance would be appreciated.
> Have a great day.
> Thanks,
> Neal Hamilton

Best wishes,

- John
Why, yes, I talk to birds. I speak fluent finch.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the Snort-users mailing list