|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Roesch (roesch
MD.PRESTIGE.NET)Date: Fri Apr 06 2001 - 14:55:02 CDT
Torgeir Hansen wrote:
>
> I've done some testing with snort and found out that it doesen't tell me that
> it drop's ANY packet's when run on linux (slackware,PIII800Mhz with 512Mb ram
> and a IDE-drive),
> however when i do the same test on the same hardware, but with OpenBSD - it
> tell's me that it drop's around 80-84% packet's..
Linux doesn't keep dropped packet stats in versions prior to 2.4...
> These tests where done on 100Mbit/s switched lan, using this snort rule at the
> end of all the original rules:
> alert tcp any any -> any any (msg: "IDS01 - DoS-data";)
That's why you're dropping so many packets, you're logging almost all of
your TCP traffic to the hard drive!
-Marty
> Abe Getchell wrote:
>
> > I've tested Snort (Linux version on Red Hat 7.0) on a T3, almost
> > fully utilized at 43MBit/sec, on a single processor PIII 800 w/ 512MB of
> > memory. The box's processor was hammered, about 98% utilization, but it
> > only utilized about 120MB of memory. It didn't drop any packets. Just make
> > sure you have a good NIC. That probably the most important consideration.
> > If you're going to sniff tagged traffic, make sure you have a card which
> > supports 802.1q.
> >
> > Thanks,
> > Abe
> >
> > Abe L. Getchell - Security Engineer
> > Division of System Support Services
> > Kentucky Department of Education
> > Voice 502-564-2020x225
> > E-mail agetchelkde.state.ky.us
> > Web http://www.kde.state.ky.us/
> >
> > > -----Original Message-----
> > > From: Pedro Ortale Neto [mailto:ortaleUNSECURITY.COM.BR]
> > > Sent: Monday, March 26, 2001 12:20 PM
> > > To: FOCUS-IDSSECURITYFOCUS.COM
> > > Subject: Re: Snort - Sensor and Analyst console HW config
> > >
> > >
> > > Hi,
> > >
> > > Well.. I use snort in a T1 enviroment and it's work fine. Snort is a
> > > 'lightweight' IDS, so a pentium 2 machine with 64 MB of RAM
> > > and a good disk
> > > space is enought ;)
> > >
> > > rgds,
> > >
> > > Pedro Ortale Neto
> > >
> > > ----- Original Message -----
> > > From: "Subba Rao" <subba9home.com>
> > > To: <FOCUS-IDSSECURITYFOCUS.COM>
> > > Sent: Saturday, March 24, 2001 2:44 PM
> > > Subject: Snort - Sensor and Analyst console HW config
> > >
> > >
> > > > Hello,
> > > >
> > > > I am planning to deploy a Snort IDS for a client of mine.
> > > The Internet
> > > > connection is at 256K to their ISP. What kind of processor
> > > and memory
> > > would be
> > > > recommended for a sensor with 4 NICs monitoring about 3
> > > DMZs? There will
> > > be
> > > > only one analysis system. What kind of processor and memory
> > > is required on
> > > this
> > > > system?
> > > >
> > > > Hopefully someone here has configured HW for Snort in
> > > production. If there
> > > is
> > > > anything I have to watchout for, please let me know.
> > > >
> > > > Thank you in advance for any input.
> > > > --
> > > >
> > > > Subba Rao
> > > > subba9home.com
> > > > http://members.home.net/subba9/
> > > >
> > >
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]