Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Hardware Configuration

Snare Central is capable of running on a variety of hardware configurations, from laptops, right up to Linux partitions on mainframe systems and VMs. Hardware requirements are significantly dependent on the volume of audit received by Snare Central, and the type and number of audit objectives defined. As an appliance-style solution, expanding storage post-install is supported, however, It is recommended that storage allocation is sized with a view towards long term requirements.
However, in order for Snare Central to be in a supported configuration, the following requirements MUST be followed. There should be no deviations from the specifications listed below.

Snare Central - Minimum Hardware Requirements

  • A 64-bit x86 compatible CPU (eg: Pentium Core I5, AMD64), preferably with two cores or more.
  • 500GB of hard disk space or more. The physical drives should be recognized by the operating system as either IDE, SATA, Fiber Channel SAN or SCSI. Hardware RAID may be used, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
  • 2 GB RAM minimum, 4GB recommended or more.
  • A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.

  • Keyboard, mouse and monitor as appropriate. 


This configuration may also be appropriate for sites with a medium number of source systems, that just want to use Snare Central for the reflector functionality, and do not require any local reporting or data analysis. Reflector-only sites with high volumes of incoming data, or a count of source agents that is in the upper quarter of the 'larger configuration' maximum, may need to increase the CPU, disk and memory capacity to cope with the additional load.

Snare Central- Small Configurations

Small environment up to 500 systems (<= 1,000 EPS)

  • A 64-bit x86 compatible CPU (eg: Pentium Core I7, Xeon), preferably with four (4) cores (8 virtual cpu's) or more.
  • 1TB of hard disk space or more. These should be recognized by the operating system as either IDE, SATA, Fiber Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
  • 16 GB RAM minimum, 32 GB RAM or more depending on the reporting needs of the system.
  • A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.

  • Keyboard, mouse and monitor as appropriate. 


For large to very large environments please contact your Snare Sales representative.

Snare Central- Moderate Configurations

Moderate environment up to 2,000 systems (<= 5,000 EPS)

  • A 64-bit x86 compatible CPU (eg: Pentium Core I7, Xeon), preferably with four (4) cores (8 virtual cpu's) or more.
  • 1-2TB of hard disk space or more, it will depend on the data retention needs. These should be recognized by the operating system as either IDE, SATA, Fiber Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
  • 32 GB RAM minimum, 64 GB RAM or more depending on the reporting needs of the system.
  • A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.

  • Keyboard, mouse and monitor as appropriate. 


For large to very large environments please contact your Snare Sales representative.

Snare Central- Larger Configurations

Larger environment up to 5,000 systems (<= 10,000 EPS)

  • A 64-bit x86 compatible CPU (eg: Pentium Core I7, Xeon), preferably with four (12) cores (24 virtual cpu's) or more.
  • 5-10TB of hard disk space or more depending on the data retention needs. These should be recognized by the operating system as either IDE, SATA, Fiber Channel SAN or SCSI. Hardware RAID is recommended, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
  • 64 GB RAM minimum, 128 GB RAM or more depending on the reporting needs of the system.
  • A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.

  • Keyboard, mouse and monitor as appropriate. 


For large to very large environments please contact your Snare Sales representative.

Snare Central - AMC Configurations

Where Snare Central is used just for Agent Management then the disk space requirements can be reduced as the system is not collecting significant numbers of logs

  • A 64-bit x86 compatible CPU (eg: Pentium Core I5, AMD64), preferably with two cores or more.
  • 350GB of hard disk space or more. This should be recognized by the operating system as one single disk, and may be either IDE, SATA ,Fiber Channel SAN or SCSI. Hardware RAID may be used, as long as the RAID controller is capable of either emulating normal IDE/SATA/SCSI protocols, or has a supported driver available in Snare.
  • 8 GB RAM minimum.
  • A 100 megabit, or (preferably) a 1000 megabit (1 Gigabit) network card.

  • Keyboard, mouse and monitor as appropriate. 


Note: If there is less than 350GB of disk allocated to the system, it will default to a single partition AMC configuration. Only environments using 350GB or more will use the new disk layouts as per Appendix B.

Snare Central - Snare Advanced Analytics

A Snare Advanced Analytics installation will generally require more resources than a baseline Snare Central install.

The following additions should me made to any baseline installation:

  • Add 8-32 gigabytes of RAM to provide ElasticSearch with appropriate memory.

  • Triple your predicted hard-drive space.

    • In general, ElasticSearch requires approximately 10x the disk space for storage, for the same source data, when compared to Snare Central.
    • However, only a limited subset of high-value events are generally pushed to the Elastic Server by the Snare collection subsystem, and regular event rotation is used, which reduces the total recommended space requirements.

General compatibility notes

In order to make compatibility research simpler, Snare Central uses a Linux kernel from the Ubuntu 18.04 LTS 'Bionic' release. Hardware that is identified as compatible with Ubuntu 18.04 LTS 'Bionic' will also be accepted by Snare Central.

Incompatible Hardware / Configurations

If commonly available hardware, or virtual machine implementations are specifically identified as being incompatible with Snare Central version 8, the model numbers will be identified below.

Incompatible Hardware

No hardware has yet been specifically identified as incompatible.

  • No labels