Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hardware requirements

From: Theodore Stout <theodorestout () yahoo com>
Date: Mon, 10 Jan 2005 15:36:39 -0800 (PST)
Rich,

You are right about one point here.  Packets dropped
like crazy at 500m which is 50% of the max advertized
bandwidth.

Theo

--- Rich Adamson <radamson () routers com> wrote:


The only reason for mentioning the motherboard (etc)
is
that people involved with heavy audio apps and
asterisk (open
source telephone pbx) have found that some
motherboard pci
implementations provide less then stellular bus
throughput.
The throughput has had nothing to do with processor
speed,
ram, or number of processors.

Based on those observations, I would have to guess
the
performance of snort with GigE will vary
dramatically from one
machine to another depending upon the exact mobo in
use, etc.

I'm certainly not an expert on pci or gige, but have
spent a
fair amount of professional time conducting network
performance
assessments for clients in 40+ states. I have not
yet seen any 
gige implementation that could actually drive the
nic interface 
at anything close to rated speed in a production
environment. 
(Note: there are probably some somewhere, but I've
not seen 
them, and I've been exposed to a large number of
implementations.)

As a strang recent example, we're trying to identify
why a
specific client's server with two gige interfaces
cannot sustain
traffic throughput greater then 170,000 bits/sec
through a single
interface. We've double-checked all the basic stuff,
and there
are no errors or discards happening anywhere,
including the 
correctly configured cisco switch that it attachs
to. We'll find
the issue, but we're just not there as yet.

So, given the above and trying to relate back to the
original
post relative to recommended hardware to support
snort with gige,
I don't know that anyone can truly recommend
something without
qualifying the system (DL380) in use (or Mobo), and
at what traffic 
volumes snort begins to drop packets. I'd be very
confident the 
throughput is substantially less then gige speeds,
and I wouldn't 
be a bit surprised to hear dropped packets occurring
at 
throughputs less then 25% to 50%.

Rich
------------------------

True.  

We used the entire rule set and then singled it

down

to worms, virus, and porn related entries.

Motherboard:  Humm... I used a DL380 for the Snort
install.  Got no idea about the motherboard.

Theo

--- Rich Adamson <radamson () routers com> wrote:


Right, so his original question should be

reworded

to be
oriented towards when will snort begin dropping
packets,
etc. I've not seen anyone try to qualify
motherboards, etc,
under different traffic loads, rule sets, etc.

------------------------

Rich,

Yes this is true however most people use GigE

Cards

for traffic environments where major traffic,

ie

1000

Meg traffic,  is expected....

Theo

--- Rich Adamson <radamson () routers com> wrote:




Greetings, I would like to know if anyone

has

any

hardware recommendations to run SNORT on. 
specifically im looking to put a GigE NIC in

a

box and would like to know how fast a CPU

and

memory etc etc.

Just about any box will work, however what

you

really want to know
is... at what level of traffic will snort

begin

to

drop packets.
In other words, its traffic volume

dependent,

not

GigE dependent.

I've got several Win32 boxes running just

fine

on

boxes that came
with GigE ports, but the traffic volumes at

those

locations are so
low that snort could have been using a 10meg

port.















-------------------------------------------------------

The SF.Net email is sponsored by: Beat the
post-holiday blues
Get a FREE limited edition SourceForge.net

t-shirt

from ThinkGeek.
It's fun and FREE -- well,
almost....http://www.thinkgeek.com/sfshirt


_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:










https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:










http://www.geocrawler.com/redir-sf.php3?list=snort-users






                
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page ETry

My

Yahoo!

http://my.yahoo.com 


---------------End of Original
Message-----------------










-------------------------------------------------------

The SF.Net email is sponsored by: Beat the
post-holiday blues
Get a FREE limited edition SourceForge.net

t-shirt

from ThinkGeek.
It's fun and FREE -- well,
almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:




=== message truncated ===



                
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: