Snort mailing list archives
RE: HW Specs
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 24 Nov 2005 11:24:59 +0000
--On 23 November 2005 12:21 -0500 "Timothy A. Holmes" <tholmes () mcaschool net> wrote:
I have gotten snort and base set up and running (I think properly) but I have not yet started to tweak the rules etc. Right now, the sensor and the database are combined into one box set up as follows: Pentium 4 HT box, 1gb Memory 40gb HDD - not scsi 2 interfaces: - One Intel Pro1000 on the board -- has an ip on it -- used for management - One Belkin 10/100 PCI card -- no IP used as the sniffing interface right now
Depending on the chipset used on the Belkin card, you might get better performance the other way around. The Intel drivers are particularly good.
Running MySQL and BASE -- Set up per Patrick Harpers instructions The sensor is currently placed between the cable modem and the Firewall on a hub, to monitor the outside traffic I would like to be able to use the second Interface as a second sniffer port, to take a look at internal traffic.
You have a number of choices; you can either run two snort processes (one on each i/f), or you can use bonding to tie two or more ports together to create a unified bond0 device and have snort listen to that. The advantage of the latter is that snort can then track state of connections that it sees on all bonded interfaces. OTOH, if you have a multi-processor machine, you may wish to run multiple snort instances in order to get the most out of the second and subsequent CPU(s).
I'd suggest using a third NIC, rather than using your management interface, especially if you go the bonding route.
To create a bonded interface on RH-alike OSs, do the following:1) create rc.modules if it doesn't exist, and modprobe the 'bonding' kernel module:
# cat /etc/rc.modules #!/bin/sh modprobe bonding 2) create /etc/sysconfig/network-scripts/ifcfg-bond0: # cat /etc/sysconfig/network-scripts/ifcfg-bond0 DEVICE=bond0 USERCTL=no ONBOOT=yes BOOTPROTO=none3) create/modify /etc/sysconfig/network-scripts/ifcfg-eth* for each interface you wish to be a slave of bond0:
# cat /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 BOOTPROTO=dhcp HWADDR=DE:AD:C0:ED:BA:BE ONBOOT=no TYPE=Ethernet MASTER=bond0 SLAVE=yes 4) Restart appropriate services, or reboot. 5) start snort with '-i bond0' instead of '-i eth2' or whatever.
Also, I would like to hear others recommendations about how to set up the logging etc. Some have recommended using a separate box for logging etc, I don't care on that issue, whatever works well is fine with me.
Running the sensor and the database on separate hosts is worthwhile. Also, you should use a spool processor (barnyard, mdupit, or my preference, FLoP) in between snort and the database for maximum efficiency.
TIM
HTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HW Specs Brian J. Dyrehauge (Nov 21)
- Re: HW Specs Rich Moffitt (Nov 21)
- Re: HW Specs Gulfie (Nov 22)
- Re: HW Specs Alex Butcher, ISC/ISYS (Nov 23)
- Re: HW Specs Alex Butcher, ISC/ISYS (Nov 28)
- <Possible follow-ups>
- RE: HW Specs Timothy A. Holmes (Nov 23)
- RE: HW Specs Alex Butcher, ISC/ISYS (Nov 24)
- Re: HW Specs Rich Moffitt (Nov 21)