Snort mailing list archives
Re: [Snort-devel] SNORT Performance Issues !!!!!!!!
From: Peter_J_Moore () national com au
Date: Wed, 13 Nov 2002 09:37:20 +1000
It depends what you are monitoring.
if you are monitor a very large network, then you may want to deploy more
than one sensor (a sensor is a machine running Snort).
you could split up the tcp/ip address range or networks that each sensor is
monitoring.
i ran Snort 1.81-1.83 on a dual Pentium II 266 running BeOS R5 BONE logging
to both a log file and 2 PostgreSQL database servers for over a year and it
was fine, but i have a small network. One of the PostgreSQL servers was
also the machine running Snort.
I've replaced this box (motherboard died) with a Celeron 1.1GHz 256MB RAM
BeOS R5 and logs the output as mentioned above and hardly raises a sweat.
you could also look at the rules you are including versus the firewall
ports you have open. Talk to your security guys about your security policy.
Is it worth monitoring ICQ and IRC if you don't even have those ports open
on your firewall? That's the sort of question you need to ask. This will
reduce what the sensor is actually monitoring and thus reduce the load.
and FYI i've run the same config as mentioned above on a Mandrake Linux 6.x
PIII 500 with 512MB RAM. This box also runs a Sybase database server as
well as PostgreSQL and it too handled it easily....but as i mentioned it's
not a big network.
regards
peter
Atul Shrivastava
<atul_iet () yahoo com> To: snort-users () lists sourceforge net
Sent by: cc: snort-devel () lists sourceforge net
snort-devel-admin () lists sour Subject: [Snort-devel] SNORT Performance Issues !!!!!!!!
ceforge.net
12/11/2002 08:09 PM
Hi All,
Can anyone tell me that what is the minimum hardware
configuration requirement for Snort to run on a Redhat
LINUX v7.3 machine.
I think the following requirement is sufficient:
For a 100 Mbps ethernet card: Pentium P III processor
with 1 GB of RAM and 10 GB of Scsi Hard Disk
For Gigabit ethernet card: Pentium P III processor
with 2 GB of RAM and 20 GB of Scsi Hard Disk
Can anyone give me views regarding that.
Whether this confoguration is correct or need to be
updated..............
I also what to know that if we put less RAM (let say
128 MB), then can the snort will not be able to accept
all the attempts because in my case, it is happening.
I drop down my RAM to 64 MB and I see that there are
too many alerts that got droped. Why I don't know....
So please tell me that is there any critical point
after which snort starts droping the alerts.
Also I want to know that what is the difference
between the "alerts" and "log" keyword in the Output
Plugin of the SnortCenter Management Console ......?
Thanks in advance
=====
Regards and have a nice day,
Atul Shrivastava
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about
your web server security? Click here for a FREE Thawte
Apache SSL Guide and answer your Apache SSL security
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-devel] SNORT Performance Issues !!!!!!!! Peter_J_Moore (Nov 13)