[Snort-users] Design questions...
Randy.Bey at ...6683...
Tue Oct 29 07:26:05 EST 2002
Don't have any good info for you but another consideration regarding
If one sensor is outside firewall and another is inside, (a common
scenario), you will incur the wrath of the security gods having a
machine that bypasses the firewall.
7300 W 147th St Suite 300
Apple Valley, MN 55124
From: Jeremy Finke [mailto:Jeremy.Finke at ...7343...]
Sent: Tuesday, October 29, 2002 8:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Design questions...
Hi, hopefully, my email is sorted out now and this will get through...
I have some performance questions that I hope that someone would be able
to help me out with.
I am trying to convince my boss to start implementing snort at a serious
level. Problem is, he is a windows/closed source type of guy and I am a
unix/open source type of guy. I am trying to convince him to buy
seperate boxes for each of the sensors and then a logging box that has
its own private network to send data across. Ideally, I would have 4
snort sensors and one of them be an ACID/PHP/MySQL log server. He does
not want to pay for all the boxes because he thinks that they are going
to cost $2.5k a pop. I think that we can go with a non major vendor
(pogo linux, penguin computing, etc....) and get it cheaper, but that is
a different story.
So, he brought up the idea of having one big box and having multiple
nics. Now, I know that this can easily be done using multiple snort
processes/conf files/etc... However, I am wondering about the
performance of such a beast. What type of horsepower do I need to
monitor 2 T1s (on seperate networks) and 2 100MB networks (also
seperate)? Also, it will probably be running the database as well, on a
seperate network. Can people give me an idea of what they are running
More information about the Snort-users