snort and system requirements
Results 1 to 5 of 5

Thread: snort and system requirements

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    snort and system requirements

    I've been playing around with snort lately. For the most part, I've just been playing with it in a lab.
    I've tried on both windows and linux. I seem to prefer linux.

    I have configured snort on Fedora Core 2 with Apache, mysql, php and ACID.

    I followed the guide that is on snort.org with some minor changes.

    I plan on running this in parallel to our current IDS to see how it holds up.
    If all works out well, I'll be replacing my current IDS.

    First off, a little info about the box on which it is running:

    PIII 800MHZ, 256mb ram (soon to be upgraded to 512), 20 gig HD.

    In the lab environment, there are only a dozen or so PCs all hooked to a switch which is hooked to a hub (so I can use snort) and then to a router.

    In the production environment it will be similar. I'll be putting it after the firewall.
    There will be also be many more acitve boxes.

    The listening interface will have no ip address.
    The access interface will be on a separate private network of which only two workstations will be able to access. I have locked down the box and services. Only two user accounts will have access to sshd and only one user account for ACID.

    I couldn't find any good resources for this:

    Some Questions:

    What are the recommended system requirements for a T1 with about 150 users?
    Would the hardware that I'm currently using be enough?
    Should I get a new dedicated server for this with a lot of storage?
    How much storage do I need?
    Does it matter that I keep the logs on the snort box?

    During the install I selected no mail servers.
    However, sendmail is installed and running. I didn't kill that service. Is sendmail necessary?
    sendmail is currently firewalled and it can't be used except for locally.

    Thanks for any input you have! You know I appreciate it!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I've done some more searching for system requirements. I stumbled on a ebook for snort 2.1 but I'm using 2.2. I can't imagine it being *that* much different.

    But, the book didn't really offer up too much info. Scenarios or case studies, etc.
    Here is what they have to say:

    Another highly recommended hardware component for Snort is a second
    Ethernet interface. One of the interfaces is necessary for typical network connectivity
    (SSH,Web services, and so forth), and the other interface is for Snorting.
    This sensing interface that does the “snorting” is your “Snort sensor.”
    Snort does not have any particular hardware requirements that your OS
    doesn’t already require to run. Running any application with a faster processor
    usually makes the application work faster. However, you will be limited in the
    amount of data you collect by your network connection and by your hard drive.
    However, you will need to have a reasonable size network interface card (NIC)
    to collect the correct amount of network packets. For example, if you are on a
    100MB network, you will need a 100MB NIC to collect the correct amount of
    packets. Otherwise, you will miss packets and be unable to accurately collect alerts.
    In addition, you will need a good size hard drive to store your data. If your
    hard drive is too small, there is a good chance that you will be unable to write
    alerts to either your database or log files. For example, our current setup for a
    single Snort sensor is a 9GB partition for /var.
    Ok, second NIC... not a problem. 100MB NICs, also not a problem. Its difficult to find systems with less than 100MB NICs now a days.

    Ok, they say "a good sized hard drive". What exactly is a "good sized hard drive"? IMO, A 250GB hard drive is "good sized". I could use another one at home. But for snort what do I need!? They say they used a 9 gig partition for /var. Ok, thats a start... but they didn't say what type of network load, the type of traffic (services), how many machines/users or how long that 9 gigs would last.

    I realize that every network is going to differ. I would just like to get some *idea*.
    If I can get an idea of what someone else uses, then I can try to figure out what I'll be using.
    I guess its not that big of deal. If the HD starts to get filled, I can add a new one or purge some logs.

    Ok, end of rant #1. Stay tuned for further rants... if any.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I set up the Linux version of Snort 2.1 with MySql and such, on a PIII 733, 512 MB RAM, with a 30 GB hard drive. With the database collecting the dumps, the space will be more effeciently used, so a larger HD won't make a lot of difference. You will have to clean up more often. As far as RAM is concerned, the more the merrier.

    One NIC for the normal network access to send messages and alerts. One NIC for the capture interface. Most of the Snort or other sniffer drivers don't like to/won't use just one NIC. It also screws up your captures.

    The newer versions don't have any difference "system requirements" so that shouldn't be a problem.

    /edit
    forgot to add that mine was looking at a router passing 3xDS1 lines with two full networks on the business end.
    /edit

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    rapier57: Thanks for your reply. I will use the machine I currently have for now.
    I'm just going to add a larger HD for the logs/database and double the memory to 512.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    That shoudl be fine for you, with proper tweaking, you can have snort eliminate flooding your logs with false positives. As long as you maintain the event database on a regular basis, and with 250 GB regular could be a while, you will be fine. Our IDS is running on a Athlon XP 3200, 512 MB Ram, and a 120 GB HD, and it runs impecably.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •