[Snort-users] Design questions...

Jarret Gibson jarret at ...7313...
Tue Oct 29 07:42:05 EST 2002


Design questions...Right now, I am having a single Win 2k server which I do web development from (P3 400, 128 RAM) which is also running snort to monitor two T-1 lines and a 10 mbps network of about 25 systems.  It is logging to its MSSQL installation.  Believe it or not, it's actually handling all the traffic pretty flawlessly.  I do have to reboot it every few days as Snort and MSSQL slowly but surely seem to consume my page file (memory leak?  not sure).

IMO, I'd give it a shot.  The two T-1 lines would be no problem for a modern dedicated machine to keep up with.  The 100 mbps networks, I honestly don't know.   If it's doing nothing but running snort, I'm betting it would handle it.  Take what ya can get and give it a try :D

Jarret Gibson


  ----- Original Message ----- 
  From: Jeremy Finke 
  To: snort-users at lists.sourceforge.net 
  Sent: Tuesday, October 29, 2002 9:45 AM
  Subject: [Snort-users] Design questions...


  Hi, hopefully, my email is sorted out now and this will get through... 
  I have some performance questions that I hope that someone would be able to help me out with. 
  I am trying to convince my boss to start implementing snort at a serious level. Problem is, he is a windows/closed source type of guy and I am a unix/open source type of guy. I am trying to convince him to buy seperate boxes for each of the sensors and then a logging box that has its own private network to send data across. Ideally, I would have 4 snort sensors and one of them be an ACID/PHP/MySQL log server. He does not want to pay for all the boxes because he thinks that they are going to cost $2.5k a pop. I think that we can go with a non major vendor (pogo linux, penguin computing, etc....) and get it cheaper, but that is a different story. 

  So, he brought up the idea of having one big box and having multiple nics. Now, I know that this can easily be done using multiple snort processes/conf files/etc... However, I am wondering about the performance of such a beast. What type of horsepower do I need to monitor 2 T1s (on seperate networks) and 2 100MB networks (also seperate)? Also, it will probably be running the database as well, on a seperate network. Can people give me an idea of what they are running out there? 

  Thanks! 
  Jeremy Finke 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021029/173c2507/attachment.html>


More information about the Snort-users mailing list