[Snort-users] Considering using snort
Mark W. Jeanmougin
mark.jeanmougin at ...14628...
Fri Aug 21 10:18:51 EDT 2009
There's only one answer to this question: "It depends"
It depends on traffic load, application load, hardware spec's,
acceptable overhead, rule set, and all kinds of things that I probably
haven't even thought about.
But, I think you've answered the question in you post. If you've been
running snort on your load balancer, and you're basically happy with
performance, then it sounds like the performance impact is acceptable.
If you want to get a good idea of the impact, you could setup a simple
cron job to run a "top -n 1" every so often, then grep the results for
snort. This will tell you the amount of CPU time used by snort at
various points throughout the day.
It appears that my idea of a "simple cron job" may differ from most
people's. If you need help setting that up, just let me know! :)
On 08/21/2009 05:52 AM, Guy wrote:
> One of our old boxes (set up by a previous sys admin) has snort on it.
> It's about to be reinstalled, so before I include snort in the
> reinstall I'd just like to find out one or two things.
> The machine it's currently on is a load balancer, so most of our
> traffic hits one of the load balancers before going on to other
> servers. But, due to the way our hosting company provides machines,
> all our other servers can be accessed directly from the internet, even
> though we use the LAN for most data transfer.
> What sort of load (CPU,RAM and I/O) does snort add to a server as some
> of our servers already have fair load doing mail, mail scanning, etc?
> I'm curious whether Snort would be usable on all our servers or would
> be better to only have on the main entry points, the load balancers,
> since they're not running heavy services.
> Any other advice about this would be appreciated.
More information about the Snort-users