[Snort-users] Considering using snort

Joel Esler jesler at ...1935...
Fri Aug 21 10:22:40 EDT 2009


I'd encourage you to use the built in perfomance monitor in snort. You  
can find it's configuration in the snort.conf file.

--
Sent from my iPhone

On Aug 21, 2009, at 10:18 AM, "Mark W. Jeanmougin" <mark.jeanmougin at ...14628... 
 > wrote:

> Guy,
>
> There's only one answer to this question: "It depends"
>
> It depends on traffic load, application load, hardware spec's,
> acceptable overhead, rule set, and all kinds of things that I probably
> haven't even thought about.
>
> But, I think you've answered the question in you post.  If you've been
> running snort on your load balancer, and you're basically happy with
> performance, then it sounds like the performance impact is acceptable.
>
> If you want to get a good idea of the impact, you could setup a simple
> cron job to run a "top -n 1" every so often, then grep the results for
> snort.  This will tell you the amount of CPU time used by snort at
> various points throughout the day.
>
> It appears that my idea of a  "simple cron job" may differ from most
> people's.  If you need help setting that up, just let me know!  :)
>
> Happy Friday,
>
> MJ
>
>
> On 08/21/2009 05:52 AM, Guy wrote:
>> Hi,
>>
>> One of our old boxes (set up by a previous sys admin) has snort on  
>> it.
>> It's about to be reinstalled, so before I include snort in the
>> reinstall I'd just like to find out one or two things.
>>
>> The machine it's currently on is a load balancer, so most of our
>> traffic hits one of the load balancers before going on to other
>> servers. But, due to the way our hosting company provides machines,
>> all our other servers can be accessed directly from the internet,  
>> even
>> though we use the LAN for most data transfer.
>>
>> What sort of load (CPU,RAM and I/O) does snort add to a server as  
>> some
>> of our servers already have fair load doing mail, mail scanning, etc?
>> I'm curious whether Snort would be usable on all our servers or would
>> be better to only have on the main entry points, the load balancers,
>> since they're not running heavy services.
>>
>> Any other advice about this would be appreciated.
>>
>> Thanks
>> Guy
>>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list