[unisog] Snort setup

Peter Van Epp vanepp at sfu.ca
Wed Dec 12 20:37:05 GMT 2001

> I'm considering setting up snort and have a couple of questions.  We're
> in need of capturing around 200-300mbs of traffic now, and likely more in
> the future.
> So, given that, what kind of horsepower do I need in the way of a PC?  How
> much disk space for data collection?  What kind of probe?
> I've been doing some work with argus, but figured that since everone in
> the known universe uses snort, I should set it up and what it'll do for
> me.
> Thanks!
> John
> John K. Lerchey
> Computer and Network Security Coordinator
> Computing Services
> Carnegie Mellon University
	Compared to argus a big one :-). Snort wants to capture the full packet
(argus only wants the first 128 bytes or so) so you need much more memory
bandwith for Snort. I'd be tempted to look at one of the big Tian motherboards
that does memory interleaving and the Linux kernel that has the 0 copy BPF
support (unfortunatly I've only heard reference to this and don't have a
location for it). This is reputed to avoid the kernel to user space bpf copy
by remapping the memory page that contains the packet in to user space via the
page table rather than doing a copy. That should be a huge win in performance.
Once you are up then you want to check the packet loss counters (and/or use
tcpreplay to test) to make sure you are getting the performance you need.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

