Sensor Hardware Requirements

[Daniel Paillet]

I am new to Security Onion. I am looking at deploying several sensors to report to the NSM. I see some specs for large drive requirements due to the packet capturing capability of Security Onion. Does the sensor need 1TB? and what is the storage requirement for a dedicated sensor? Does the sensor forward those packets where they are stored onto the NSM? Thank you for your time.

Daniel

[Heine Lysemose]

Hi Daniel

If I were you I would start by looking at the SecurityOnion wiki page.
I'm sure you will find all of your questions answered in these pages.

Especially, https://code.google.com/p/security-onion/wiki/TableOfContents#Getting_Started

Regards,
Lysemose

On Feb 18, 2014 9:42 PM, "Daniel Paillet" <dpai...@gmail.com> wrote:

I am new to Security Onion.  I am looking at deploying several sensors to report to the NSM.  I see some specs for large drive requirements due to the packet capturing capability of Security Onion.  Does the sensor need 1TB? and what is the storage requirement for a dedicated sensor?  Does the sensor forward those packets where they are stored onto the NSM? Thank you for your time.

Daniel

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Daniel Paillet]

On Tuesday, February 18, 2014 2:41:34 PM UTC-6, Daniel Paillet wrote:
> I am new to Security Onion. I am looking at deploying several sensors to report to the NSM. I see some specs for large drive requirements due to the packet capturing capability of Security Onion. Does the sensor need 1TB? and what is the storage requirement for a dedicated sensor? Does the sensor forward those packets where they are stored onto the NSM? Thank you for your time.
>
> Daniel

I did: Does this apply to the sensor or to the server or both?

Storage¶

You need LOTS of storage as Security Onion does full packet capture and it can fill a disk quickly. We have a cronjob that purges old pcaps once the disk reaches 90% capacity. However, if you have a small disk and/or are monitoring a large amount of traffic, you may fill that last 10% before the next purge. Additionally, the purge scripts are designed with the idea that you want to keep at LEAST 1 day's worth of full packet capture on disk, so they won't delete any pcaps with today's date on them. For example, suppose you are monitoring a 50 Mb/s link, here are some quick calculations: 50Mb/s = 6.25 MB/s = 375 MB/minute = 22,500 MB/hour = 540,000 MB/day. So you're going to need about 540GB for one day's worth of pcaps (multiply this by the number of days you want to keep on disk for investigative/forensic purposes). Note that this is just pcaps (other logs will take up additional storage), so you may want to round up to the next terabyte to ensure sufficient storage. The more disk space you have, the more log retention you'll have for doing investigations after the fact. Disk is cheap, get all you can!

[Heine Lysemose]

Hi Daniel

So you are on top of the documentation. Good!

The part of storage was written specifically for sensors. And if you enable packet capture, which is nearly a must have in production, you will need a lot of storage to hold those pcaps for a reasonable time. But again it all depends on how much traffic you are monitoring as stated above.

When it comes to server storage, you need a lot too. Pcaps are not automatically pushed to your server but is kept on the sensor and if you request data, as in transscript teh particular pcap is sent to the server.

Also if you have ELSA enabled on your server/sensor setup you need storage for the index and archive data used in ELSA.

Regards,

Lysemose