Re: Choosing Linux Platform for a Snort deployment

[Bennett Todd <bet () rahul net>]

2003-12-29T10:09:16 John Cunningham:
> I am most familiar with Redhat (what version these days?) but can
> be flexible.

I used 7.3 (when it was current) very successfully.

If I were doing one today, I'd use Fedora, unless I were working in
a shop that had a site-wide license for RHEL3, in which case I'd use
that (such shops want the support).[1]

In any case, I'd do a minimal install, with Networking as the only
optional component, I'd then strip out any daemons that are
listening on network ports (lsof -Pni is good for discovering them),
then install rpms for snort-2.1.0 and snortrules. If you don't want
to use rpm for your config mgmt for your ruleset, you can use one of
the automated tools other folks have developed.

> We plan on spanning ports, none of which should push 100mb but one
> of the interfaces is gig link (overkill).

Should be easy to handle with a modern box. Give it a gig of memory,
ram is cheap. Heck, give it whatever your budget swings for, it
seems like successive generations of snort enjoy more and more
memory to buy additional performance.

-Bennett

[1] Actually, I do lie, if I were doing this I'd create a custom
    distro for the job that boots off CD and runs entirely out of an
    initrd, logging with syslog-ng only to a central log server, no
    local logs at all. But not just everybody would be keen on that
    sort of in-house hackery:-). Hint: syslinux makes it easy to get
    the thing up in the air; an initrd is just a gzip -9 compressed
    ext2 initially populated via loopback mount; and a monolithic
    kernel + a statically linked busybox is a clean and sweet base
    system.

Attachment: _bin
Description: