Snort mailing list archives
IDS Question
From: Paul Halliday <paul.halliday () gmail com>
Date: Mon, 16 Aug 2004 13:33:48 -0300
I work at a small community college and I want to implement an IDS solution for one of the campuses. There is approximately 400 machines here utilizing a 5mbit link. Bandwidth on this link is typically between 1.5-2 mbit. What I have so far is a freebsd box running snort, ipfm, and openbsd's pf. Basically I want to monitor suspicious activity/excessive bandwidth usage and tickle the packet filter rules accordingly so that we may isolate/block the traffic for further analysis. If I had 2 gigabit nics, one in one out, and maybe another 100mbit nic acting as the monitor (passive tap) would this box be able to do its job without introducing lag? I would basically be placing the box between the main switch and a cisco 2600. My biggest concern is whether or not the forwarding of all this traffic though the machine will introduce latency, and if so how much. I would suspect that because all the info is being picked up on the passive tap that things shouldnt slow down too much. If anyone could offer some tips or thoughts about this setup it would be greatly appreciated. Thanks. -- _________________ Paul Halliday http://dp.penix.org "Diplomacy is the art of saying "Nice doggie!" till you can find a rock." ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS Question Paul Halliday (Aug 16)
- Re: IDS Question Bill Parker (Aug 16)
- <Possible follow-ups>
- IDS Question Paul W Halliday (Aug 17)