Throughput question, setup validation

[Page-Zone Web Hosting <mail () page-zone com>]

In the 3-4 days I've been losing sleep over this awesome program, I have 
a few questions. I've pored over every possible online resource for the 
past few days and have a system up and running although it has a long 
way to go. I'm not even sure its working right, and haven't managed to 
get the inline portion working, but have managed to get traffic to go 
through the box.

My question is does this hardware setup / network scenario seem like a 
workable system and can anyone give me any recommendations:

The network is a 100mbit downlink to about 14 LAMP servers on the same c 
class /24 serving about 10,000 low traffic websites. The downlink goes 
into a managed SMC6224M Tiger switch.

Many of the sites are running mass distributed web apps such as 
wordpress, forum scripts, and just about every other script that can be 
downloaded for free, installed and abandoned by the webmaster/hobbyist. 
Leaving us to worry about it getting exploited.  Most sites are small 
business brochure or hobby sites. We have a lot of protections in place 
but never enough.

The 95% bandwidth usage is about 10mbps with bursts of 20mbps 
occasionally, so I imagine the key number there is 20mbps.

Budget is fairly low, for instance, aanval has been purchased and was 
considered expensive.

My plan is to install Snort-inline on a transparent bridge on a spare 
dual Opteron 270, 2GB ECC ram to start (its all I have spare right now). 
3ware 8000 series  SATA  raid 1,  Tyan 3870 mainboard which has two on 
board 10/100/1000 LAN connections Intel i82541PI, can be seen here 
http://www.newegg.com/Product/Product.asp?Item=N82E16813151041

Will the hardware setup listed above handle that type of network? Or 
better yet, what degree of rule checking could I accomplish. Every 
server runs an individual instance of mod_security with a 200kb set of 
rules and seems to keep up pretty well. The servers are of the same 
specs except that they are Opt. 275's & 285's.

Instead of an expensive bypass switch I plan to use a spare managed 
switch that the downlink would feed into, and if the Snort box goes down 
I could manually turn that port off and another port on which would feed 
into the Tiger switch. But haven't tested that yet to see if it would work.

My next question, what would be the best distro to put this on, and if 
anyone has any suggestions, or pitfall warnings I'd be very glad to hear 
them.

Thanks for any suggestions you may have.



-- 
Thank You,
Jim Snape
Page-Zone Web Hosting
http://www.page-zone.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users