Snort mailing list archives
Re: Multiple instances of snort on one box?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 21 Oct 2004 16:24:31 -0400
At 03:39 PM 10/21/2004, Drew Stockman wrote:
We are trying to consolidate machines and I am being asked if we can put all of the snort sensors on one box. I was just wondering if anyone can point me in the right direction. I believe I have to run seperate instances of Snort listening on different NICs, correct?
Depends a bit on your OS.. Most linuxes will support -i "any" which will allow a single snort process to sniff all three.. However, your results will be mixed together.
It is however quite possible to run multiple snorts.
Also, what kind of hardware would it take to replace 3 sensors, each listening to a T-1 connection?
Sniffing 3 t1's is 9mbit/sec max cross-section. 3 * (1.5 in +1.5 out) = 9mbit/sec
That shouldn't be terribly hard for even a low-end box to handle. I used to monitor a single t1 using Snort 2.0 on a 133mhz Pentium I without much trouble, provided I disabled spp_conversation and portscan2. Admittedly this was pre-pcre, but it's a starting point.
If a single t1 can be monitored on a p-133, 3 should be able to be handled on a 400mhz box. There's a good bit of overhead to PCRE, but there's also a big difference between a Pentium and a Pentium II or better, even at the same clock.
Provided your NIC's aren't realtek 8139's or similar inefficient cheap cards, and you use efficient logging (ie: ascii-mode packet dumps) you should be able to handle it on a PII-400 or better. But I'd consider this a minimum, a little extra CPU never hurt.
Make sure you've got about 40mb of ram for each snort, plus a minimum of 64mb for the OS, etc. So I'd say 192mb of ram really should be your minimum goal.
If you want to run acid/sql on this box, double all of the above minimums.
Is there any documentation out there on setting up a multiple Snort sensor like this?
Shouldn't be difficult.. Particularly if you chroot them with -t. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple instances of snort on one box? Drew Stockman (Oct 21)
- Message not available
- Re: Multiple instances of snort on one box? Matt Kettler (Oct 21)
- Re: Multiple instances of snort on one box? Edin Dizdarevic (Oct 22)
- Re: Multiple instances of snort on one box? Edin Dizdarevic (Oct 25)
- Re: Multiple instances of snort on one box? Matt Kettler (Oct 21)
- Message not available
- Re: Multiple instances of snort on one box? Nick Hatch (Oct 21)
- <Possible follow-ups>
- Re: Multiple instances of snort on one box? Paul Schmehl (Oct 21)