RE: hardware requirements for snort sensors

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

Everyone's requirements are different... And often so much so that it's
almost impossible to make the end-all recommendation to the perfect
setup.  However, almost everyone is likely to agree that it's ideal to
have the sensors reporting back to a core system (database or syslog
server).  You'll find it much easier to analyze the alerts doing this,
and that's the most important part of having IDS.  Secondly, for
processing power, there are many considerations.  

How much bandwidth do you push across these switches? 
How many interfaces will be on each system?

Generally speaking, you can spend less than $3k on each sensor and
likely push well over 1Gbps to each using multiple network cards (and a
quad card is often better than 4 individual cards for performance [read
interrupts rant]).  If you go intel, try relatively inexpensive
processors (2.2+GHz)... Won't be worth the money for 3+GHz since
interrupts are often your biggest killer and eat nearly the same system
time either way.

For the database, it all depends on how much you plan on storing. I'd go
on a long rant criticizing a few DBs right now, but I'm not sure there's
a point.   In all likelihood you can spend the same on a DB box and be
happy.

IDE drives are acceptable for sensors... SCSI or SAN or NAS for your DB
is a must for high performance.  It may be easiest to get a switch for
just your IDS network and then run your port-mirroring straight to them.

-----Original Message-----
From: scott_sakai () nettricity com [mailto:scott_sakai () nettricity com] 
Sent: Thursday, July 24, 2003 5:36 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] hardware requirements for snort sensors



Hi, I've been charged with setting up an IDS environment and was
wondering what
recommendations people have for the "ideal" setup.  Sensors reporting
back to a
single host or autonomous sensors that detect and collect data on their
own?
What level of hardware for each part do you all think is needed to
monitor a
100mbit LAN?  Do I need much processing power?  Memory, 512MB enough, or
is a
gig needed?  What about hard drive, IDE or SCSI?  Does each sensor being
autonomous make more sense, instead of having to worry about the
"back-end" link
to the server?

I'm looking at deploying on maybe three or four segments via port
mirroring on
10/100 ethernet switches.

Any advice would be appreciated,
Thanks!

Scott




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users