Thu Nov 23 16:36:19 EST 2017
Since snort will only use one processor (though I know they plan to
multi-thread)... Almost all of our limitations have been based solely on how
much data one snort running on one processor could handle.... I'd estimate 1
CPU from a Netra T1 can handle @80-100Mbps with our setup.
With HOME_NET as [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] (all the local
addrs from whichever RFC that was) and EXTERNAL NET as any, I'm sure we
could handle this much data on our T1s.
Not that it's very affordable, but a Sun 440R should be able to handle
@250Mbps per snort... (@1Gbps total)... But you'd have to separate it into
>=4 streams. Of course, if you have only a firewall facing the internet,
and then have several connections coming back from it, you could easily span
those separate streams beyond the firewall (from the internal switches), and
you'd still have all your data. That would also let you shrink your
HOME_NET to a much smaller net... And improve performance even more...
I'd talk about optimizing HOME_NET and rules and snort config, but I think
everyone else has covered that...
More information about the Snort-users