--On 21 November 2005 14:34 +0100 "Brian J. Dyrehauge" <bjd@bridicum.com>
wrote:
I'm about to buy some hardware, and need to know what specs to go with.
I'll be using Snort and MySQL on the same machine.
I'd really recommend splitting the sensor role from the database role, and
running them on separate machines for best performance.
We'll be monitoring on 2 NICs. Net traffic will be, as far as I've been
informed by our customer, 17 GB on one NIC and 14 GB on the other NIC.
The
switch is a 100 MB, which means no Gigabit traffic.
Do you guys have any recommendations as to what hardware I should buy?
Take into consideration that it has to be non-expensive. ;)
These questions are always a bit vague as everyone's traffic patterns and
NIDS config is different. However, for guidance, I'm using two Dell
PowerEdge 2850s (2xXeon 3.2 Nocona (800MHz FSB, EM64T), E7520/E7525
chipset) running CentOS 4.2 x86_64.
The sensor has 2xIntel Pro/1000 MT Quad Port NICs, 4GB memory and 2x10K RPM
SCSI discs, mirrored, connected to a PERC 4e/Di.
The database console has 8GB memory and 4x10K RPM discs RAID10'ed on a PERC
4e/Di. The kernel is running with elevator=deadline to improve IO
scheduling performance.
The sensor is currently monitoring a single 100Mbit (pretty much solid,
24x7) feed from a SPAN port and has all rules enabled (including bleeding
and community), with a fair bit of session tagging, and is utilizing 15-30%
of one CPU and 188Mbyte of memory to do so. Snort is linked against Phil
Wood's modified libpcap and configured to use the maximum buffer size.
Hopefully the CPU usage will decrease once I've had a chance to tune the
rules properly.
The sensor feeds its alerts into the console using FLoP. The console is
currently using MySQL (this may change to PgSQL in the future). MySQL is
currently using 2.2Gbyte of memory and sometimes flattens (99.9%) a single
CPU, especially if the database is being queried whilst events are being
logged.
If you need to economise, I'd recommend starting with eliminating the RAID
and ~3GByte memory on the sensor. For further economy, reduce the console's
memory to 4GByte. If you have the option, an Opteron-based machine might
well be better for the console (and the sensor, if you can find one with
multiple PCI-X busses - for a reasonable price).
I also have a test NIDS, which has all the software running on a single
machine. It's a P4 1.7, 768Mbyte of memory and a single 40G ATA disc. It's
monitoring a <=30Mbit/s feed, and it barely copes, often dropping packets.
I've even disabled a number of noisy rules that, ideally, I'd like to leave
enabled.
Yours sincerely,
Brian
HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
