Re: Considering using snort

[Joel Esler <jesler () sourcefire com>]

I'd encourage you to use the built in perfomance monitor in snort. You  
can find it's configuration in the snort.conf file.

--
Sent from my iPhone

On Aug 21, 2009, at 10:18 AM, "Mark W. Jeanmougin" <mark.jeanmougin () cchmc org 
> wrote:

> Guy,
>
> There's only one answer to this question: "It depends"
>
> It depends on traffic load, application load, hardware spec's,
> acceptable overhead, rule set, and all kinds of things that I probably
> haven't even thought about.
>
> But, I think you've answered the question in you post.  If you've been
> running snort on your load balancer, and you're basically happy with
> performance, then it sounds like the performance impact is acceptable.
>
> If you want to get a good idea of the impact, you could setup a simple
> cron job to run a "top -n 1" every so often, then grep the results for
> snort.  This will tell you the amount of CPU time used by snort at
> various points throughout the day.
>
> It appears that my idea of a  "simple cron job" may differ from most
> people's.  If you need help setting that up, just let me know!  :)
>
> Happy Friday,
>
> MJ
>
>
> On 08/21/2009 05:52 AM, Guy wrote:
> > Hi,
> >
> > One of our old boxes (set up by a previous sys admin) has snort on  
> > it.
> > It's about to be reinstalled, so before I include snort in the
> > reinstall I'd just like to find out one or two things.
> >
> > The machine it's currently on is a load balancer, so most of our
> > traffic hits one of the load balancers before going on to other
> > servers. But, due to the way our hosting company provides machines,
> > all our other servers can be accessed directly from the internet,  
> > even
> > though we use the LAN for most data transfer.
> >
> > What sort of load (CPU,RAM and I/O) does snort add to a server as  
> > some
> > of our servers already have fair load doing mail, mail scanning, etc?
> > I'm curious whether Snort would be usable on all our servers or would
> > be better to only have on the main entry points, the load balancers,
> > since they're not running heavy services.
> >
> > Any other advice about this would be appreciated.
> >
> > Thanks
> > Guy
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users