Re: IDS Question

["Bill Parker" <dogbert () netnevada net>]

----- Original Message ----- 
From: "Paul Halliday" <paul.halliday () gmail com>
To: <snort-users () lists sourceforge net>
Sent: Monday, August 16, 2004 9:33 AM
Subject: [Snort-users] IDS Question


> I work at a small community college and I want to implement an IDS
> solution for one of the campuses. There is approximately 400 machines
> here utilizing a 5mbit link. Bandwidth on this link is typically
> between 1.5-2 mbit.
>
> What I have so far is a freebsd box running snort, ipfm, and openbsd's
> pf. Basically I want to monitor suspicious activity/excessive
> bandwidth usage and tickle the packet filter rules accordingly so that
> we may isolate/block the traffic for further analysis.
>
> If I had 2 gigabit nics, one in one out, and maybe another 100mbit nic
> acting as the monitor (passive tap)  would this box be able to do its
> job without introducing lag? I would basically be placing the box
> between the main switch and a cisco 2600. My biggest concern is
> whether or not the forwarding of all this traffic though the machine
> will introduce latency, and if so how much. I would suspect that
> because all the info is being picked up on the passive tap that things
> shouldnt slow down too much.

I have a Pent III-500 (SuSE 8.0 Pro Linux) using snort 2.2.0 in daemon mode
which sniffs
an avg of 1-2mbit/sec traffic with no packet drops at all.  Using 10/100
NIC, connected to
the internal i/f of the PIX via a span port on our 3550.  This box has 256MB
of RAM,
a 8GB SCSI (20mbit/sec Transfer Rate), and 3 x dual 10/100 Intel NIC's
w/400mbit/sec
throughput (per card), our environment is 4 T-1's (max of 6mbit/sec
bi-directional).

If you use cisco switches, look at enabling port monitor or port span to
mirror all of your
traffic onto a single port on the switch, and this is where you attach your
snort sensor.

I'd imagine this box could easily analyze 5-10mbit/sec w/NO problem what so
ever
(this machine was built out of spare parts, btw), and the NIC's which handle
snort are
set up in promisc. mode w/NO ip address assigned to the card to cut down on
traffic
from the box itself.

Bill



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users