[Snort-users] Question about hardware and software requirement for Snort 2.0.5

twig les twigles at ...131...
Wed Dec 3 18:11:04 EST 2003

> My questions are:
> 1. How much memory and hard disk space do I need to monitor 4
> vlan with 8 
> computers each?
> At least how much memory and hard disk space do I need for one
> vlan with 8 
> computers?

Depends on traffic, you're probably fine right now if you make
this box a dedicated sensor.

> 2. How much processor speed do I need for above mentioned 4
> vlans? Or at 
> least for one vlan?

Depends on traffic.  VLANs don't mean anything to snort.

> 3. What OS do you recommend?

FreeBSD 4.x.  The 5.x line is not recommended for production yet
and won't reach -stable for some months (probably).

> 3. If I want to use ACID what RDBMS should I use? I need some
> interface to 
> see IDS alerts in real time.
> Or is there any other way to view alerts in real time?

You can just keep the log file that syslog is sending alerts to
open with "tail -f".  Or just get a dedicated viewer and
dedicated sniffer.  MySQL works fine, so does ACID.

> 4. Can somebody point me to or share a real life examples and 
> configurations of snort for ISP? Something like ISP with
> 5000 users and ISP has 10MB satellite connection.

I do the snort at a small ISP offering and have similar
hardware.   I'm also on FBSD.  Admining those boxes is the
biggest scam in the world since I basically do nothing but patch
them every 6 months or so.  They just sit there and run.

> 5. I thought snort is best for IDS. But is there any good
> alternative IDS 
> which uses less CPU, memory?

Tweak the settings to use less memory.  I'll point to the manual
on that one since I haven't bothered with that in months.

> 6. Is there any other recommendations running IDS for ISP?

No.  I've worked with 2 commercial ones as well as snort and
they sucked.  Big, clunky, expensive,
objectify-everything-in-GUI garbage.  They play the "hide the
helpful info" game too.

> 7. Do I need IDS load balancer? If I need how many IDS sensors
> do I need?

You have a lot of room to work with snort before you bother
spending the money on a load balancer.  De-couple the sensor
from the database server then tinker for a couple of weeks
before even looking at load balancers.

> I'm asking a lot of questions in one time, but I really need
> to install and 
> use IDS sensors and
> I hope somebody in this list point me to the right direction.

Get a taste of Religion ... eat a priest!       

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Snort-users mailing list