Purchasing New Equipment for Snort

["Merida, Dylan" <Dylan.Merida () EKU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey All,

It's come time for EKU to do some equipment upgrades. I have the opportunity to throw some beefy hardware at snort and 
its database server. Our current set up is running on one single core 3.2 GHz Xeon with 12 GBs of RAM. The MySQL 
database is hosted on a separate box that's a multicore Xeon; it also serves one other purpose, so the load is quite 
high (and slow) when performing extensive database queries. I'm currently running one sensor at egress/ingress to the 
internet. I would like to deploy 4 more sensors throughout our network and run this on one multicore box. We currently 
average about 1.5 million alerts a day on a gigabit pipe that averages around 300 Mbps. Queries are quite slow when 
examining a large dataset (like 24 hrs), so I also want queries to be extremely fast in BASE and Snorby.

My question is this: If I could buy two servers with any specs that I wanted, what would allow me to run 5 sensors on 
one box and a beefy MySQL database on another that can run most queries in under 10 seconds?

So far, we've tried some tests with a large storage box with SSD cache running FreeBSD and ZFS. There appear to be some 
limitations in the FreeBSD MySQL daemon. I'd also like to know what OSes you might suggest. (We're fans of Red Hat, but 
are open to anything.) Also, would you run Barnyard on the sensor box or push the alerts to the DB server and then 
parse them from there?

Let me know what you think.

Thank you,

Dylan Merida
Security Analyst
Information Technology
Eastern Kentucky University

NOTE: IT @ EKU will NEVER request passwords or other personal information via email. Messages requesting such 
information are fraudulent and should be deleted.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJNrI+7AAoJEJZGFwhgpNqAmmwP/ifR85gorE61RX1NA/8YHiN/
twLKVoO96gack5KeQKpHgbEHOiN0knJpGqujeGhEbQo11ogPOa+6hau4/j3oYme5
V14iq7GpT49jmjVnzKcCJy34OooyRckWN6ANdsx1lVMh/C8CvF7oVmONp8YFNTYl
W+mmic0GJ4Lmxp9gIfvZzwwg0AhaQgJVwdGm/C1AhfpRFlUzvG4AB5gagJ5Ws4as
fE8EQqMmb8w53JLXwY/DpRi1GB/xIOrgRbAN8KIKtig9+Mij6XrKWYR+vDXPlp/7
ctnb67cbC0oLU9kh4Jq/HngbyvcI0mGsQ7HiIR86PUl7OIZPa05wXV1DesK4RoFJ
c7mtbnzvqnGKuRC3P3zSlQxj+vqHOjpEUB7ERe1sJYwQAlQuLKJdWuljYh2h3WRr
uOm3C/tFzDpgYwHP+r2+nhExm3AC2jY2XhJxsg+boeBGqstvHNo6vK6q6Ofxa5Jr
NW3kwT4tejKMnwg32fauHVSVsYk3EnBU0Aola0UrRppOPOgsqTyoPbmVpZSPg4r4
92hyg5f+ymxx1++OP6isFr1Mgvv6mKA5pXB5sFhG1+IoporigjpvK+KCpOJWu/w/
dLckh+Ap2JRSpP6s3cKzjqS59EXE3KD91lRI6Ark6Fp+w91M/MLyvcG/HbsO7Nn5
gmB7ZDtYz12FZ4UvbQH+
=Q3dr
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users