Snort mailing list archives
New install questions.
From: "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu>
Date: Wed, 6 Mar 2013 20:30:30 +0000
I am looking at building a snort server to sniff my internet traffic. If anyone has the time and/or the inclination I would very much appreciate any input you may have. Any server I use would need to be able to deal with constant ~250 Mb/sec of traffic as well as peak between 450-500Mb/sec. Also there is the distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and adding an Internet 2 link as well @ 2x1Gb/sec. Please volunteer your thoughts on the following: 1) Normally where would you deploy a SNORT IDS? My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall. 2) What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec). 3) Homebrew vs. Vendor. Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in general. But, is the GUI and support necessary? If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first? I am sure other questions will follow but I will not tire you further for now. Thank you in advance. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Heine Lysemose (Mar 06)
- Re: New install questions. Joel Esler (Mar 06)
- Re: New install questions. Doug Burks (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Greg Williams (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Gregory W. MacPherson (Mar 11)
- Re: New install questions. Greg Williams (Mar 07)
- <Possible follow-ups>
- Re: New install questions. Sallee, Stephen (Jake) (Mar 07)