RE: Minimum hardware config for Snort

[Paul Schmehl <pauls () utdallas edu>]

--On Friday, August 08, 2003 15:55:23 -0400 "Sheahan, Paul" 
<Paul.Sheahan () priceline com> wrote:

> Thanks for the response. Here is an example of the factors in my
> environment:
>
> - Gig network with up to 100mb/s traffic
> - Running on Red Hat Linux 7
> - Will most likely be on an Intel platform (Compaq)
> - Will only have 50% of the default rules enabled plus some of my own
> - All preprocessors enabled (at least that is the initial plan)
> - Outputs will most likely be to log only, but MAY be going to ACID
> - Prefer no packet loss
> - No other services running (this will be a dedicated sensor box)
>
> Any recommendations on hardware in this example?
Sorry this took so long.  Been very busy.

You're going to need to do some serious tuning to run without much packet 
loss.  Personally I would use FreeBSD for those kinds of speeds, but if 
you're not familiar with the OS, you're better off with one you know.

I would definitely use barnyard so snort can sniff and do nothing else. 
Look at kernel parameters that you can tweak to improve stack performance. 
Snort can only use one processor (I believe), so SMP won't do you any good.

I'd stick with known good NICs like 3COM or Intel Gig cards.  Turn off 
absolutely everything on the box that isn't necessary to run the sensor, 
including xinet.d and associated services.  All you should need is OpenSSH, 
OpenSSL (for tunneling), tcpwrappers and snort.  Set up iptables if you're 
paranoid like I am, and allow everything to the sniffer card and nothing 
but ssh from known good addresses on the management interface.  I don't 
think you'll need more than 512MB of RAM, but RAM is so cheap these days 
that 1GB is probably standard.  Any processor over 800MHz should be fine as 
well.  You'll need at least a 40GB hard drive, but too is pretty standard. 
Depending on your situation, you may want to use RAID on SCSI drives, but 
we run snort on two DS3s with a box with one 40GB IDE drive (running 
FreeBSD) and don't have any problems.

I would strongly recommend you consider using RH 9, rather than 7.  You'll 
have much better capabilities in the kernel.  And read the kernel HOWTO to 
see what parameters you can tweak for better performance.  You may even 
want to consider recompiling the kernel to make it match your hardware and 
not load anything extra.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users