Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Throughput question, setup validation

From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 16 Mar 2007 10:00:08 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jim,

I'm not familiar with the specs of the CPU you're using on your  
sensor/bridge but since the traffic volume is pretty low I think  
you'll do fine on almost any modern system.  Just make sure you set  
your stream memcaps fairly high (in excess of 256MB, maybe more like  
512MB) and you tune your rules so that you aren't burning a lot of  
clock cycles looking for stuff that's never going to happen.

As for the distro to put it on, whatever you're comfortable with is  
probably best because you can concentrate on the sensor software and  
not have to spend a lot of time figuring out the underlying system.

        -Marty

On Mar 16, 2007, at 7:34 AM, Page-Zone Web Hosting wrote:


In the 3-4 days I've been losing sleep over this awesome program, I  
have
a few questions. I've pored over every possible online resource for  
the
past few days and have a system up and running although it has a long
way to go. I'm not even sure its working right, and haven't managed to
get the inline portion working, but have managed to get traffic to go
through the box.

My question is does this hardware setup / network scenario seem like a
workable system and can anyone give me any recommendations:

The network is a 100mbit downlink to about 14 LAMP servers on the  
same c
class /24 serving about 10,000 low traffic websites. The downlink goes
into a managed SMC6224M Tiger switch.

Many of the sites are running mass distributed web apps such as
wordpress, forum scripts, and just about every other script that  
can be
downloaded for free, installed and abandoned by the webmaster/ 
hobbyist.
Leaving us to worry about it getting exploited.  Most sites are small
business brochure or hobby sites. We have a lot of protections in  
place
but never enough.

The 95% bandwidth usage is about 10mbps with bursts of 20mbps
occasionally, so I imagine the key number there is 20mbps.

Budget is fairly low, for instance, aanval has been purchased and was
considered expensive.

My plan is to install Snort-inline on a transparent bridge on a spare
dual Opteron 270, 2GB ECC ram to start (its all I have spare right  
now).
3ware 8000 series  SATA  raid 1,  Tyan 3870 mainboard which has two on
board 10/100/1000 LAN connections Intel i82541PI, can be seen here
http://www.newegg.com/Product/Product.asp?Item=N82E16813151041

Will the hardware setup listed above handle that type of network? Or
better yet, what degree of rule checking could I accomplish. Every
server runs an individual instance of mod_security with a 200kb set of
rules and seems to keep up pretty well. The servers are of the same
specs except that they are Opt. 275's & 285's.

Instead of an expensive bypass switch I plan to use a spare managed
switch that the downlink would feed into, and if the Snort box goes  
down
I could manually turn that port off and another port on which would  
feed
into the Tiger switch. But haven't tested that yet to see if it  
would work.

My next question, what would be the best distro to put this on, and if
anyone has any suggestions, or pitfall warnings I'd be very glad to  
hear
them.

Thanks for any suggestions you may have.



-- 
Thank You,
Jim Snape
Page-Zone Web Hosting
http://www.page-zone.com


---------------------------------------------------------------------- 
---
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to  
share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php? 
page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF+qLoqj0FAQQ3KOARAjgqAJ98Hw7alWIAleOtirRE7l+xoDsOtgCfX7/K
2HJSmf+kndMNc6HXg41Ih5I=
=KKKk
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: