[Snort-users] Snort Install

Jack Pepper pepperjack at ...14319...
Wed Dec 2 08:24:26 EST 2009

Quoting Biggs Darklighter <jedi_darklighter at ...125...>:

> on this network and am wondering if this would be a good machine to use?
> any suggestions would be very helpful. I have never used and have not
> installed snort as of yet due to lack of working computers (4) lying

the hardware you describe is sufficient for the sensor.  Beyond  
"sufficient", lets be clear about a couple things:
   - if your ruleset is poorly tuned or badly deployed, no amount of  
hardware will be sufficient.
   - you must learn to run everything you need, then turn off everything else.

I personally run a bunch of snort boxes on our satellite campuses (  
less than 10 PCs ) on AMD Geode (Soekris) machines with 512mb ram, no  
disks, and the full ruleset.

The reason you can't find anything about recommended sizing is that it  
doesn't matter.  Rule tuning matters.  Deployment matters.  Everything  
else is just noise.



Framework?  I don't need no stinking framework!

@fferent Security Labs:  Isolate/Insulate/Innovate  

More information about the Snort-users mailing list