Re: New install questions.

[Joel Esler <jesler () sourcefire com>]

On Mar 6, 2013, at 3:30 PM, "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu> wrote:

> 1)      Normally where would you deploy a SNORT IDS?  My thoughts are to deploy it out of band using a monitor 
> session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. 
> Basically setting it up as a tap on the outside interface of my firewall.

IMHO, you need to be on the inside of the firewall, let the firewall block the majority of the nonsense, and let Snort 
concentrate on what actually makes it through the Firewall.

> 2)      What kind of hardware do I need?  Since this is my internet sniffer it will be seeing some rather exotic 
> traffic and will need some careful tuning to get right.  I would like to be able to use as many rules as possible, 
> but more rules = more CPU and RAM.  Given that, what kind of hardware am I looking at to be able to use a good and 
> thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).

You'll probably need something like flow dividing and pinning to CPUs.  There are lots of articles out there on this 
information.  One of the more recent that discuss this topic (although it really doesn't tell you how to configure 
Snort:  http://erratasec.blogspot.com/2013/02/multi-core-scaling-its-not-multi.html )  Worth a good read.  I believe 
the Security Onion distro does this now (Doug, care to confirm?)

> 3)      Homebrew vs. Vendor.  Sourcefire makes what I consider to be the gold standard of snort based IDS … or IDS in 
> general.

Thank you.

> But, is the GUI and support necessary? 

Depends on your use case, but for an enterprise, at the speeds you are talking, a GUI would make things easier to 
manage and simpler to use.

> If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the 
> hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully 
> supported platform first?

I don't want to discuss our product on list, as vendor discussion is pretty much disallowed, but you are welcome to 
contact me off list.  

We do not offer a paid support offering for Snort from Sourcefire, but we do offer services for Snort: 
http://www.snort.org/services, the VRT rules are always supported by the VRT at any time if you buy a subscription or 
not.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!