[Snort-users] Design questions...

Randy Bey Randy.Bey at ...6683...
Tue Oct 29 07:26:05 EST 2002

Don't have any good info for you but another consideration regarding
multi-homed box:
If one sensor is outside firewall and another is inside, (a common
scenario), you will incur the wrath of the security gods having a
machine that bypasses the firewall.

Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124

-----Original Message-----
From: Jeremy Finke [mailto:Jeremy.Finke at ...7343...] 
Sent: Tuesday, October 29, 2002 8:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Design questions...

Hi, hopefully, my email is sorted out now and this will get through... 
I have some performance questions that I hope that someone would be able
to help me out with. 
I am trying to convince my boss to start implementing snort at a serious
level. Problem is, he is a windows/closed source type of guy and I am a
unix/open source type of guy. I am trying to convince him to buy
seperate boxes for each of the sensors and then a logging box that has
its own private network to send data across. Ideally, I would have 4
snort sensors and one of them be an ACID/PHP/MySQL log server. He does
not want to pay for all the boxes because he thinks that they are going
to cost $2.5k a pop. I think that we can go with a non major vendor
(pogo linux, penguin computing, etc....) and get it cheaper, but that is
a different story. 
So, he brought up the idea of having one big box and having multiple
nics. Now, I know that this can easily be done using multiple snort
processes/conf files/etc... However, I am wondering about the
performance of such a beast. What type of horsepower do I need to
monitor 2 T1s (on seperate networks) and 2 100MB networks (also
seperate)? Also, it will probably be running the database as well, on a
seperate network. Can people give me an idea of what they are running
out there? 
Jeremy Finke 

More information about the Snort-users mailing list