Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort sensor on virtual machine...[?]

From: Mike Hale <eyeronic.design () gmail com>
Date: Wed, 11 Apr 2012 09:40:19 -0700
If you have the funds, a standalone machine is generally better IMO.

You have less of a chance of having a misconfiguration in your
hardware (whereas in the virtual system you have to specifically
configure the vnics/vswitches) as well as better performance (as all
resources on that box are dedicated to that OS).

That said, I'm running snort within OSSIM in a virtual machine being
fed by an NTAP at the network edge.  It works very well for the most
part, though I rarely get above 10mbps.  On that same note, I have had
the NICs within ESXi choke every now and then during some peak traffic
times.

Either way is doable.  I'd recommend you try the virtual solution
first (since you've presumably have the infrastructure in place), and
if you don't like the way it functions, switch to a dedicated box.

- Mike

On Wed, Apr 11, 2012 at 8:22 AM, Corbin Fletcher <corbin () freeway com> wrote:

Greetings Snort community,

I am a member of a small team who operates a data center. Our company
provides VoIP services for corporations. We utilize primarily open
source application. We run Debian and CentOS, FreeSwitch, OpenSIP, MySQL
Elastix, FreePBX, Proxmox, etc.

We receive a good number of SIP brute force attacks, and other security
breaches on our network. And this is the reason for my email.

As a team we have agreed to implement a Snort sensor as a NIDS. We are
currently not running any IDS and we rely on analyzing logs to be
alerted to our network attacks.

I would like to install a Snort sensor at the edge of our network on its
own dedicate machine and have it sniff all network traffic.

Another team member wants to run Snort on a Proxmox cluster in a virtual
environment.

Can anyone advise about the pros and cons for each approach?

Or, could someone please advise on best practices for implementing a
Snort sensor on our network?

Thanks in advance.

~Corbin


------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: