[Snort-users] hardware requirements

Erek Adams erek at ...950...
Thu Jun 26 09:20:16 EDT 2003

On Thu, 26 Jun 2003, Brei, Matt wrote:

> I would like to get an idea on what type of hardware you are all running
> snort on and what size network it services.  I plan on using
> snort/MySQL/acid to monitor internet usage and log policy violation on a
> network with about 100 users.  I have the same basic set up at home with
> snort running on a 450 K6-2 logging to MySQL/acid on a 1100 Athlon both
> using PC133 and standard IDE drives (ATA100 and UDMA66).  With this many
> users and having all of the components (snort/MySQL/acid) all on 1
> machine, would It be a good idea to go with SCSI, DDR and 10/100/1000?
> This setup also needs to be scalable up to about 250 users.

Well, there's been a _lot_ of discussion on hardware over time.  What it
basically boils down to are a few simple things:

*  I/O speed:  As fast as you can go.  IDE will do for small setups, but
UW-SCSI is quite a bit better.  And if you can _really_ throw money at it,
use SSD!
*  CPU speed:  Really depends on your traffic.  Sadly there is no hard and
fast rule on speed vs. bandwith.  I've seen reports of folks using fairly
low end hardware ( around 200 mhz ) and a really tuned ruleset handling
rather big pipes.  For the most part, as fast as you can.  You can't ever
be too fast for Snort.  :)
*  RAM:  With v2.0 Snort's memory usage really jumped.  If you're using
spp_conversation and spp_portscan2, you're going to need a pretty big
chunk of memory (about 70MB on my test box) to handle things.  The more
converstations you see, the larger that memory pool will be.  Again, it's
the 'Bigger is Better' thing.  Throw as much memory as you can at it.
512mb is a pretty good 'safe' point.
*  Separate boxes:  The best peformance comes from having a 'simple'
sensor, a Web/ACID box and a DB on a third.  Throw CPU and RAM at the DB
box, since ACID has some rather large queries.

Keep in mind that it's not 'how many users' that make the difference.
It's 'how much bandwidth are they eating?'.

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

