Snort mailing list archives
RE: RE: Design questions...
From: "Jeremy Finke" <Jeremy.Finke () MeridianIQ com>
Date: Tue, 29 Oct 2002 15:03:58 -0600
Exactly... That is the plan.. However, I am wondering what type of box is going to be needed. I can get a 2U rack dual PIV Xeon for $3700. Add in some dual nic cards or quad cards and it becomes a cheaper solution than buying a bunch of individual servers. My question is is that a big enough box? I am aware of commercial solutions, however, that costs lots o' money. I would use old hardware, but this is going to be sitting in a rack in a data center. So, the old boxes would be taking up too much room. Thanks! Jeremy -----Original Message----- From: larc [mailto:larc () pandora be] Sent: Tuesday, October 29, 2002 9:44 AM To: Randy Bey; snort-users () lists sourceforge net Subject: Re: RE: [Snort-users] Design questions...
you will incur the wrath of the security gods having a machine that bypasses the firewall.
Then you can use network taps, I use multi-homed boxes and every sniffing interface is running in stealt mode (no ip-address) and is connected to it's own tap. So there is no way to bypass the firewall. Stefan D. ------------------------ "Randy Bey" <Randy.Bey () rivernorthsys com> wrote: ------------------------ Don't have any good info for you but another consideration regarding
multi-homed box: If one sensor is outside firewall and another is inside, (a common scenario), you will incur the wrath of the security gods having a machine that bypasses the firewall. Randy Bey RiverNorth Systems 7300 W 147th St Suite 300 Apple Valley, MN 55124 http://www.rivernorthsys.com -----Original Message----- From: Jeremy Finke [mailto:Jeremy.Finke () MeridianIQ com] Sent: Tuesday, October 29, 2002 8:46 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Design questions... Hi, hopefully, my email is sorted out now and this will get through... I have some performance questions that I hope that someone would be
able
to help me out with. I am trying to convince my boss to start implementing snort at a
serious
level. Problem is, he is a windows/closed source type of guy and I am a unix/open source type of guy. I am trying to convince him to buy seperate boxes for each of the sensors and then a logging box that has its own private network to send data across. Ideally, I would have 4 snort sensors and one of them be an ACID/PHP/MySQL log server. He does not want to pay for all the boxes because he thinks that they are going to cost $2.5k a pop. I think that we can go with a non major vendor (pogo linux, penguin computing, etc....) and get it cheaper, but that
is
a different story. So, he brought up the idea of having one big box and having multiple nics. Now, I know that this can easily be done using multiple snort processes/conf files/etc... However, I am wondering about the performance of such a beast. What type of horsepower do I need to monitor 2 T1s (on seperate networks) and 2 100MB networks (also seperate)? Also, it will probably be running the database as well, on a seperate network. Can people give me an idea of what they are running out there? Thanks! Jeremy Finke ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Design questions... Jeremy Finke (Oct 29)
- Re: Design questions... Jarret Gibson (Oct 29)
- RE: Design questions... Wayne T Work (Oct 29)
- <Possible follow-ups>
- RE: Design questions... Randy Bey (Oct 29)
- Re: RE: Design questions... larc (Oct 29)
- Design questions... Jeremy Finke (Oct 29)
- RE: RE: Design questions... Jeremy Finke (Oct 29)
- RE: Design questions... Jakub Molek (Oct 30)