Snort mailing list archives
Re: Choosing Linux Platform for a Snort deployment
From: Bennett Todd <bet () rahul net>
Date: Mon, 29 Dec 2003 10:30:02 -0500
2003-12-29T10:09:16 John Cunningham:
I am most familiar with Redhat (what version these days?) but can be flexible.
I used 7.3 (when it was current) very successfully. If I were doing one today, I'd use Fedora, unless I were working in a shop that had a site-wide license for RHEL3, in which case I'd use that (such shops want the support).[1] In any case, I'd do a minimal install, with Networking as the only optional component, I'd then strip out any daemons that are listening on network ports (lsof -Pni is good for discovering them), then install rpms for snort-2.1.0 and snortrules. If you don't want to use rpm for your config mgmt for your ruleset, you can use one of the automated tools other folks have developed.
We plan on spanning ports, none of which should push 100mb but one of the interfaces is gig link (overkill).
Should be easy to handle with a modern box. Give it a gig of memory, ram is cheap. Heck, give it whatever your budget swings for, it seems like successive generations of snort enjoy more and more memory to buy additional performance. -Bennett [1] Actually, I do lie, if I were doing this I'd create a custom distro for the job that boots off CD and runs entirely out of an initrd, logging with syslog-ng only to a central log server, no local logs at all. But not just everybody would be keen on that sort of in-house hackery:-). Hint: syslinux makes it easy to get the thing up in the air; an initrd is just a gzip -9 compressed ext2 initially populated via loopback mount; and a monolithic kernel + a statically linked busybox is a clean and sweet base system.
Attachment:
_bin
Description:
Current thread:
- Choosing Linux Platform for a Snort deployment John Cunningham (Dec 29)
- Re: Choosing Linux Platform for a Snort deployment Bennett Todd (Dec 29)