[Snort-users] Deployment Sizes? was: anyone trying kickfire to improve SQL performance?

Jason Haar Jason.Haar at ...294...
Sat May 3 17:13:54 EDT 2008


Stewart L wrote:
> Well, I wasn't in charge of the deployment. I handed it off to one of 
> the guys on my team to do the research and recommendations.
>
> Part of the problem is that there is no SOLID advice out there on how 
> to set up and tweak a lot of this stuff.  We have the oreilly books 
> and have done some searches, but there is a lot of hand waving and not 
> a lot of solid answers.

There are too many variables for there to be a "one size fits all" 
answer. That's why companies like SourceFire exist - they do all that 
background 'thinking' for you and produce a product that 'just works'.

You should check the solution you have actually works. 6-16 100Mbs 
Ethernet monitors on one box is probably too many. Unless you've 
cherry-picked the motherboard,Ethernet cards, etc. And I'm assuming 
they're 100M - if they are Gb - you almost certainly have a problem.


>
> So, you're saying that if I were to have another machine do the actual 
> capture and a separate database machine, I'd be better off in the long 
> haul?  That should be pretty easy to set up.
>
Yup - you won't get all the hard SQL work interfering with the hard 
packet sniffing work. And barnyard of course instead of native SQL support.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list