Re: [Snort-users] Multiple instances of snort on one box?
This is a discussion on Re: [Snort-users] Multiple instances of snort on one box? within the Snort forums, part of the System Security and Security Related category; At 03:39 PM 10/21/2004, Drew Stockman wrote: >We are trying to consolidate machines and I am ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-21-2004
|
|||
|
|||
Re: [Snort-users] Multiple instances of snort on one box?
At 03:39 PM 10/21/2004, Drew Stockman wrote:
>We are trying to consolidate machines and I am being asked if we can put >all of the snort sensors on one box. I was just wondering if anyone can >point me in the right direction. I believe I have to run seperate >instances of Snort listening on different NICs, correct? Depends a bit on your OS.. Most linuxes will support -i "any" which will allow a single snort process to sniff all three.. However, your results will be mixed together. It is however quite possible to run multiple snorts. >Also, what kind of hardware would it take to replace 3 sensors, each >listening to a T-1 connection? Sniffing 3 t1's is 9mbit/sec max cross-section. 3 * (1.5 in +1.5 out) = 9mbit/sec That shouldn't be terribly hard for even a low-end box to handle. I used to monitor a single t1 using Snort 2.0 on a 133mhz Pentium I without much trouble, provided I disabled spp_conversation and portscan2. Admittedly this was pre-pcre, but it's a starting point. If a single t1 can be monitored on a p-133, 3 should be able to be handled on a 400mhz box. There's a good bit of overhead to PCRE, but there's also a big difference between a Pentium and a Pentium II or better, even at the same clock. Provided your NIC's aren't realtek 8139's or similar inefficient cheap cards, and you use efficient logging (ie: ascii-mode packet dumps) you should be able to handle it on a PII-400 or better. But I'd consider this a minimum, a little extra CPU never hurt. Make sure you've got about 40mb of ram for each snort, plus a minimum of 64mb for the OS, etc. So I'd say 192mb of ram really should be your minimum goal. If you want to run acid/sql on this box, double all of the above minimums. > Is there any documentation out there on setting up a multiple Snort > sensor like this? Shouldn't be difficult.. Particularly if you chroot them with -t. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjourna...uidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
