Snort mailing list archives

New install questions.

From: "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu>
Date: Wed, 6 Mar 2013 20:30:30 +0000

I am looking at building a snort server to sniff my internet traffic. If anyone has the time and/or the inclination I
would very much appreciate any input you may have.
Any server I use would need to be able to deal with constant ~250 Mb/sec of traffic as well as peak between
450-500Mb/sec. Also there is the distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and adding an
Internet 2 link as well @ 2x1Gb/sec. Please volunteer your thoughts on the following:

1) Normally where would you deploy a SNORT IDS? My thoughts are to deploy it out of band using a monitor session
on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically
setting it up as a tap on the outside interface of my firewall.

2) What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic
traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but
more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough
rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).

3) Homebrew vs. Vendor. Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in
general. But, is the GUI and support necessary? If I can successfully demo and deploy this tech on a homebrew box
could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the
roll-your-own setup and go for broke with a fully supported platform first?

I am sure other questions will follow but I will not tire you further for now. Thank you in advance.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Heine Lysemose (Mar 06)
- Re: New install questions. Joel Esler (Mar 06)
  - Re: New install questions. Doug Burks (Mar 06)
  - Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
    - Re: New install questions. Greg Williams (Mar 06)
    - Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
    - Re: New install questions. Gregory W. MacPherson (Mar 11)
    - Re: New install questions. Greg Williams (Mar 07)
- <Possible follow-ups>
- Re: New install questions. Sallee, Stephen (Jake) (Mar 07)