Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to
This is a discussion on Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to within the Snort forums, part of the System Security and Security Related category; --===============0851375930== Content-Type: multipart/alternative; boundary="----=_Part_13964_27706091.1209814780424" ------=_Part_13964_27706091.1209814780424 Content-Type: text/plain; charset=ISO-8859-1 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
1 Week Ago
|
|||
|
|||
Re: [Snort-users] Deployment Sizes? was: anyone trying kickfire to
--===============0851375930==
Content-Type: multipart/alternative; boundary="----=_Part_13964_27706091.1209814780424" ------=_Part_13964_27706091.1209814780424 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Well, I wasn't in charge of the deployment. I handed it off to one of the guys on my team to do the research and recommendations. Part of the problem is that there is no SOLID advice out there on how to set up and tweak a lot of this stuff. We have the oreilly books and have done some searches, but there is a lot of hand waving and not a lot of solid answers. So, you're saying that if I were to have another machine do the actual capture and a separate database machine, I'd be better off in the long haul? That should be pretty easy to set up. Stewart On Fri, May 2, 2008 at 10:00 PM, Jason Haar <Jason.Haar@trimble.co.nz> wrote: > Stewart L wrote: > > Define a large installation? > > > > That's something I've been wondering... We've set up a big central > > snort box on a 16 core machine with 16GB or RAM and 1.2TB of disk. > > We're currently running 6 instances of snort on this hardware and plan > > on having 12-16 instances when our rollout is complete. We'll likely > > also have a couple remote sensors feeding stuff into MySQL over the > > network. > > > > ..well that classifies you as "a large installation" in my eyes :-) > > BTW: are you saying you're running 6 instances of snort on the same box > as your database? I thought that was a Bad Idea(tm)... > > However, I guess if your IDS only generate 1 event per minute, then > there really isn't much competing occurring. Although when you actually > use the SQL data (eg via BASE), then it could hurt your packet > inspection...? > > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757...un.com/javaone > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > -- Stewart The revolution will not be televised. The revolution will be no re-run brothers; The revolution will be live. ------=_Part_13964_27706091.1209814780424 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Well, I wasn't in charge of the deployment. I handed it off to one of the guys on my team to do the research and recommendations. <br><br>Part of the problem is that there is no SOLID advice out there on how to set up and tweak a lot of this stuff. We have the oreilly books and have done some searches, but there is a lot of hand waving and not a lot of solid answers.<br><br>So, you're saying that if I were to have another machine do the actual capture and a separate database machine, I'd be better off in the long haul? That should be pretty easy to set up. <br> <br>Stewart<br><br><br><div class="gmail_quote">On Fri, May 2, 2008 at 10:00 PM, Jason Haar <<a href="mailto:Jason.Haar@trimble.co.nz">Jason.Haar@ trimble.co.nz</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d">Stewart L wrote:<br> > Define a large installation?<br> ><br> > That's something I've been wondering... We've set up a big central<br> > snort box on a 16 core machine with 16GB or RAM and 1.2TB of disk.<br> > We're currently running 6 instances of snort on this hardware and plan<br> > on having 12-16 instances when our rollout is complete. We'll likely<br> > also have a couple remote sensors feeding stuff into MySQL over the<br> > network.<br> ><br> <br> </div>..well that classifies you as "a large installation" in my eyes :-)<br> <br> BTW: are you saying you're running 6 instances of snort on the same box<br> as your database? I thought that was a Bad Idea(tm)...<br> <br> However, I guess if your IDS only generate 1 event per minute, then<br> there really isn't much competing occurring. Although when you actually<br> use the SQL data (eg via BASE), then it could hurt your packet<br> inspection...?<br> <font color="#888888"><br> <br> <br> --<br> </font><div><div></div><div class="Wj3C7c">Cheers<br> <br> Jason Haar<br> Information Security Manager, Trimble Navigation Ltd.<br> Phone: +64 3 9635 377 Fax: +64 3 9635 417<br> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1<br> <br> <br> -------------------------------------------------------------------------<br> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference<br> Don't miss this year's exciting event. There's still time to save $100.<br> Use priority code J8TL2D2.<br> <a href="http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone" target="_blank">http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone</a><br> _______________________________________________<br > Snort-users mailing list<br> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br> Go to this URL to change user options or unsubscribe:<br> <a href="https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br> Snort-users</a> list archive:<br> <a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br> </div></div></blockquote></div><br><br clear="all"><br>-- <br>Stewart<br><br>The revolution will not be televised.<br>The revolution will be no re-run brothers;<br>The revolution will be live. ------=_Part_13964_27706091.1209814780424-- --===============0851375930== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757...un.com/javaone --===============0851375930== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============0851375930==-- 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:34 PM.
