[Snort-users] Snort Hardware Selection and Fiber/Copper Taps

Mark W. Jeanmougin mark.jeanmougin at ...14628...
Mon Nov 2 10:27:38 EST 2009

Seriously: I have to second the recommendation to buy the Sourcefire 
sensors.  I've got a half dozen or so and they work fairly well.  Their 
support is great.

The 9900 has great throughput, low enough latency and can handle 10 Gbit 
with no problems.

What are you looking to monitor?


On 10/30/2009 11:19 PM, Rob Dixon wrote:
> What do you */need?/* Do you have requirements or just the biggest
> baddest snort censor money can buy? hehe.
> On Thu, Oct 29, 2009 at 3:46 PM, Chan, Wilson <wchan at ...14702...
> <mailto:wchan at ...14702...>> wrote:
>     Im looking at spec’ing out some new servers for my Linux (CentOS)
>     Snort boxes. If funding was not a issue what would you buy?
>     Q: Snort is not multi-threaded so does it make sense to buy a rack
>     mount server with multiple cpus?
>     Q: How much ram should be allocated per server for 32bit snort on
>     linux? If I go over 4Gb I would have to use a PAE kernel. How much
>     ram can Snort use?
>     Q: Ntap fiber to copper aggregators for gigabit links or Ntap fiber
>     to copper traditional taps (Outputs Tx and Rx per copper port)?
>     Q: If I decide to use the traditional taps do you run two processes
>     of snort for each TX and RX or do you bridge the two interfaces and
>     run just one snort process? What is best to do in this scenario? Thanks!
>     *Wilson*

More information about the Snort-users mailing list