[Snort-users] New install questions.
doug.burks at ...11827...
Wed Mar 6 16:33:31 EST 2013
On Wed, Mar 6, 2013 at 4:23 PM, Joel Esler <jesler at ...1935...> wrote:
> 2) What kind of hardware do I need? Since this is my internet sniffer
> it will be seeing some rather exotic traffic and will need some careful
> tuning to get right. I would like to be able to use as many rules as
> possible, but more rules = more CPU and RAM. Given that, what kind of
> hardware am I looking at to be able to use a good and thorough rule set
> while not getting bogged down under peak conditions (theoretically about
> You'll probably need something like flow dividing and pinning to CPUs.
> There are lots of articles out there on this information. One of the more
> recent that discuss this topic (although it really doesn't tell you how to
> configure Snort:
> ) Worth a good read. I believe the Security Onion distro does this now
> (Doug, care to confirm?)
Security Onion includes PF_RING, so you can divide your traffic
amongst as many Snort instances as you have cores.
More information about the Snort-users