Snort mailing list archives
Re: Sizing a machine for Snort
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 18 Sep 2001 23:06:38 -0700 (PDT)
On Tue, 18 Sep 2001, Muscat, Tyrone J. wrote:
I am considering installing a IDS based on Snort
And a Dandy Choice it is too!
My Operating System will probably be Solaris 8 (Management does not care for Linux)
At least your management seems to have a clue about stable OS'es. *duck* (Sorry, I'm a Solaris Bigot--I've gotta take the ocasional Linux pot-shot!)
How much disk space is a good starting point for logs...
As much as you want to keep. ;-) Disks are cheap. Buy a 10+gig SCSI drive and go to town!
How much disk space for a MySQL Database setup...
Again, as much as you want! Get as much as they will fund! If they will support a RAID 1+0 at 100GB then take it and don't look back! Just be sure that your central console has 10x-15x the disk that your sensors have. You need to hang onto the data for correlation and analysis.
I looked through the archives but I did not find any mention on disk space.... Should I log all the traffic or just the alerts
That depends. If you're following the SHADOW model, then log it all and use BPF filters to clear the cruft. If you're using the Snort model, only log alerts. That's all you're really interested in...
My end goal is to log alerts to a web page and be able to produce a few charts for management to prove that security is important.
ACID. More ACID. Oh, wait... That might be hard to sell to management... ;-) Seriously, check out http://acidlabs.sourceforge.net/ It's well worth the time for setup with MySQL and PHP. Besides, it produces 'mangement friendly' information (web pages with charts and pictures). Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sizing a machine for Snort Muscat, Tyrone J. (Sep 18)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Shut them down, I have had enough... Daniel Holden (Sep 19)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)