[unisog] registering servers

Michael Holstein michael.holstein at csuohio.edu
Fri Jul 28 13:10:40 GMT 2006


> But still can't seem to find the info I'm after on performance. Our 
> primary link to the Internet peaks at just over 100 Mbit/sec in plus 50 
> Mbit/sec out and 15,000 packets/sec in both directions. Averages for a 
> 24 hour period are around 35 Mbit/sec in, 20 Mbit/sec out and 6,000 
> packets/sec. Do you know what sort of machine we would need to handle 
> this amount of traffic? Is it safe to assume that if the machine has a 
> disk subsystem that can handle the write speed equivalent to the amount 
> of traffic it sees (i.e. 150 Mbit/sec or 18.75 MByte/sec) that it will 
> be able to handle the load? What sort of CPU and memory requirements 
> does it have?

We have a similar amount of traffic here, and I'm doing it on a 3ghz 
(HT) P4 (which is also running 2 instances of snort -- but not with full 
rulesets).

The Argus process dosen't consume much CPU time (by comparison) at all. 
  I'm offloading the disk-writes by running argus on the aforementioned 
machine, and the collector on a different one (that's got a big raid box 
attached).

The argus logfiles aren't terribly huge .. ~10gb/day. The only PITA is 
rotating them since the 'ra' process in Argus dosen't handle a SIGINT 
like it ought to (but can be fixed with a script).

Note that you're not "recording" the traffic (eg .. it's not 'tcpdump -s 
/some/file') .. you're just keeping track of headers and bytes, so the 
storage requirements are a lot less.

Hit me off-list if you want exact statistics.

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list