[Snort-users] Considering using snort

Mark W. Jeanmougin mark.jeanmougin at ...14628...
Fri Aug 21 10:18:51 EDT 2009


There's only one answer to this question: "It depends"

It depends on traffic load, application load, hardware spec's, 
acceptable overhead, rule set, and all kinds of things that I probably 
haven't even thought about.

But, I think you've answered the question in you post.  If you've been 
running snort on your load balancer, and you're basically happy with 
performance, then it sounds like the performance impact is acceptable.

If you want to get a good idea of the impact, you could setup a simple 
cron job to run a "top -n 1" every so often, then grep the results for 
snort.  This will tell you the amount of CPU time used by snort at 
various points throughout the day.

It appears that my idea of a  "simple cron job" may differ from most 
people's.  If you need help setting that up, just let me know!  :)

Happy Friday,


On 08/21/2009 05:52 AM, Guy wrote:
> Hi,
> One of our old boxes (set up by a previous sys admin) has snort on it.
> It's about to be reinstalled, so before I include snort in the
> reinstall I'd just like to find out one or two things.
> The machine it's currently on is a load balancer, so most of our
> traffic hits one of the load balancers before going on to other
> servers. But, due to the way our hosting company provides machines,
> all our other servers can be accessed directly from the internet, even
> though we use the LAN for most data transfer.
> What sort of load (CPU,RAM and I/O) does snort add to a server as some
> of our servers already have fair load doing mail, mail scanning, etc?
> I'm curious whether Snort would be usable on all our servers or would
> be better to only have on the main entry points, the load balancers,
> since they're not running heavy services.
> Any other advice about this would be appreciated.
> Thanks
> Guy

More information about the Snort-users mailing list