Snort mailing list archives
Re: Considering using snort
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Aug 2009 10:22:40 -0400
I'd encourage you to use the built in perfomance monitor in snort. You can find it's configuration in the snort.conf file. -- Sent from my iPhone On Aug 21, 2009, at 10:18 AM, "Mark W. Jeanmougin" <mark.jeanmougin () cchmc org
wrote:
Guy, There's only one answer to this question: "It depends" It depends on traffic load, application load, hardware spec's, acceptable overhead, rule set, and all kinds of things that I probably haven't even thought about. But, I think you've answered the question in you post. If you've been running snort on your load balancer, and you're basically happy with performance, then it sounds like the performance impact is acceptable. If you want to get a good idea of the impact, you could setup a simple cron job to run a "top -n 1" every so often, then grep the results for snort. This will tell you the amount of CPU time used by snort at various points throughout the day. It appears that my idea of a "simple cron job" may differ from most people's. If you need help setting that up, just let me know! :) Happy Friday, MJ On 08/21/2009 05:52 AM, Guy wrote:Hi, One of our old boxes (set up by a previous sys admin) has snort on it. It's about to be reinstalled, so before I include snort in the reinstall I'd just like to find out one or two things. The machine it's currently on is a load balancer, so most of our traffic hits one of the load balancers before going on to other servers. But, due to the way our hosting company provides machines, all our other servers can be accessed directly from the internet, even though we use the LAN for most data transfer. What sort of load (CPU,RAM and I/O) does snort add to a server as some of our servers already have fair load doing mail, mail scanning, etc? I'm curious whether Snort would be usable on all our servers or would be better to only have on the main entry points, the load balancers, since they're not running heavy services. Any other advice about this would be appreciated. Thanks Guy--- --- --- --------------------------------------------------------------------- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Considering using snort Guy (Aug 21)
- Re: Considering using snort Mark W. Jeanmougin (Aug 21)
- Re: Considering using snort Joel Esler (Aug 21)
- Re: Considering using snort Guy (Aug 21)
- Re: Considering using snort Guy (Aug 21)
- Re: Considering using snort Joel Esler (Aug 21)
- Re: Considering using snort Mark W. Jeanmougin (Aug 21)