Re: How much can snort Snort?

[Roelof JT Jonkman <roel () SiliconDefense com>]

Kevin,

PC Hardware wise putting it bluntly:

- Serverworks chipset. (serverset III, LE, HE-SL etc.)
  (The nit picky detail, memory is at least 2 way interleaved, IObus
   is 1GB full duplex, and you hopefully have two independent
   PCI busses, so the network card doesn't get in the way of
   scsi card, and vice versa.)
   {IMHO even the Intel 7500 is pretty crummy compared to the
    serverworks, even the older serverset III, look at the
    iobus: hublink vs. imb.}
- GigE consumes a lot of a PCI bus. 
    (for example 32b/33Mhz => 133MB/s => 1Gbps)
- You can't peg PCI at's its theoretic max.
- If you do the database shuffle, a dually is nice. (you got that)
- Dedicate a HD to the database, so the only thing that is
  using the disk is the db. Use a journalling filesystem
  (reiserfs, ext3 etc)
- The more secondary cache the better. (Tualatin's with the 512K
  option to name a fairly cheap improvement)
- Would be nice to use AMD, except for the fact that the chipsets
  aren't nowhere near as good as the serverworks ones I believe.
  (Tyan K7X is the only board I can think of)

IDS is a cpu cycles game, so more cpu cycles is good. However when
pushing GigE, a standard PC platform doesn't cut it. You need to 
be picky about what hardware you use, and how you install
it. (split things over multiple pci busses etc.)

Hope this conveys a little idea of what it takes to tackle a
GigE link with PC hardware.

                roel


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users