Re: Snort Install

[Jack Pepper <pepperjack () afferentsecurity com>]

Quoting Biggs Darklighter <jedi_darklighter () hotmail com>:

> on this network and am wondering if this would be a good machine to use?
> any suggestions would be very helpful. I have never used and have not
> installed snort as of yet due to lack of working computers (4) lying

the hardware you describe is sufficient for the sensor.  Beyond  
"sufficient", lets be clear about a couple things:
   - if your ruleset is poorly tuned or badly deployed, no amount of  
hardware will be sufficient.
   - you must learn to run everything you need, then turn off everything else.

I personally run a bunch of snort boxes on our satellite campuses (  
less than 10 PCs ) on AMD Geode (Soekris) machines with 512mb ram, no  
disks, and the full ruleset.

The reason you can't find anything about recommended sizing is that it  
doesn't matter.  Rule tuning matters.  Deployment matters.  Everything  
else is just noise.

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users