Re: Snort- Minimum system requirements

From: Michael J McCafferty (michael.j.mccafferty@saic.com)
Date: 07/24/01 

Message-ID: <3B5D2370.47880D9E@saic.com>
Date: Tue, 24 Jul 2001 00:27:44 -0700
From: Michael J McCafferty <michael.j.mccafferty@saic.com>
To: Crist Clark <crist.clark@globalstar.com>
Subject: Re: Snort- Minimum system requirements

    I had a system get compromised while Snort was watching it from an AMD 300,
96Mb RAM, and 1Gb log slice. The attacker used the compromised system to begin
scanning the Internet for other systems with port 111 open at the rate of 1
million hosts per hour (regular old Road Runner cable modem service). The logs on
the Snort machine grew very large in just a few hours. Naturally, the port scan
log grew, but so did the alert log due to the number of hosts scanning the
compromised host back. The firewall was also logging every packet with tcpdump.
If I had been unaware of the situation for a few more hours, the disk would have
reached 100%. The CPU and memory were sufficient, but busy during this episode.

Take note:
Obviously, don't even think about using your / slice for logs (but we already
knew that, right ?). :o)
Size your log slice according to how fat the pipe you are watching is. I dug up
an old 3Gig to add as a log disk after that experience. At my current workplace,
we use Snort on a single1Ghz CPU, 256Mb RAM and a 54Gb 10krpm RAID-5 disk array
to watch two Internet T1s and several assorted non-public (but still not trusted)
Frame Relay circuits. I am very comfortable with Snort on that hardware for that
network, and am satisfied that it will handle far more.

Mike

Crist Clark wrote:

> "Ingersoll, Jared" wrote:
> >
> > Hi,
> >
> > I'm wondering if anyone has any recommendations as to the minimum systems
> > requirements to run snort on Intel/Linux. This will sit between a 10/100
> > network and a T1. I currently have a 400 MHz PII which I have my eye on,
> > however, it only has a 4 Gig Drive and 64 MB memory.
> >
> > I know from doing research on other IDS, most out of the box solutions have
> > a minimum of 256 MB of memory.
>
> Are you ready for the answer? Here it comes: "It depends."
>
> First, unless you are really planning on doing something extreme, a 400 MHz
> processor is plenty, if not overkill, for T1 levels of traffic. As for the
> memory, it mainly depends on how big your ruleset is going to be and if
> you do things like stream reassembly. IMHO, 64 MB should be fine unless
> you are _really_ going to load up on rules (thousands and thousands of
> rules) or do a lot of stream reassembly.
>
> Disk however... If you are going to be letting data accumulate on the
> machine for any period of time, you'll need more disk. If you are
> continuously off-loading data to other machines, it may not be an issue
> since Snort and your OS will easily fit into less than 1 GB. However, if
> you are logging full packet data for any period on the machine, 3 GB
> is not very much. Disks are cheap. You can get >>20 GB for <$100 these
> days.
>
> Finally, if you want more info, try the Snort Users list. Go to
> http://www.snort.org/ and follow the "Mailing List" links for more
> info.
> --
> Crist J. Clark Network Security Engineer
> crist.clark@globalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited. If you have received this
> e-mail in error, please contact postmaster@globalstar.com

Relevant Pages

  • Re: Snort- Minimum system requirements
    ... Subject: Snort- Minimum system requirements ... I'm monitoring the Sourcefire corporate T1 with a ... > since Snort and your OS will easily fit into less than 1 GB. ... > the reader of this e-mail is not the intended recipient, ...
    (Focus-IDS)
  • Re: Snort- Minimum system requirements
    ... Subject: Snort- Minimum system requirements ... Disk however... ... the reader of this e-mail is not the intended recipient, ...
    (Focus-IDS)