[Snort-users] New install questions.

Doug Burks doug.burks at ...11827...
Wed Mar 6 16:33:31 EST 2013


On Wed, Mar 6, 2013 at 4:23 PM, Joel Esler <jesler at ...1935...> wrote:
<snip>
> 2)      What kind of hardware do I need?  Since this is my internet sniffer
> it will be seeing some rather exotic traffic and will need some careful
> tuning to get right.  I would like to be able to use as many rules as
> possible, but more rules = more CPU and RAM.  Given that, what kind of
> hardware am I looking at to be able to use a good and thorough rule set
> while not getting bogged down under peak conditions (theoretically about
> 3Gb/sec).
>
>
> You'll probably need something like flow dividing and pinning to CPUs.
> There are lots of articles out there on this information.  One of the more
> recent that discuss this topic (although it really doesn't tell you how to
> configure Snort:
> http://erratasec.blogspot.com/2013/02/multi-core-scaling-its-not-multi.html
> )  Worth a good read.  I believe the Security Onion distro does this now
> (Doug, care to confirm?)

Security Onion includes PF_RING, so you can divide your traffic
amongst as many Snort instances as you have cores.

Doug




More information about the Snort-users mailing list