Snort mailing list archives
Re: snort sensor on virtual machine...[?]
From: Mike Hale <eyeronic.design () gmail com>
Date: Wed, 11 Apr 2012 09:40:19 -0700
If you have the funds, a standalone machine is generally better IMO. You have less of a chance of having a misconfiguration in your hardware (whereas in the virtual system you have to specifically configure the vnics/vswitches) as well as better performance (as all resources on that box are dedicated to that OS). That said, I'm running snort within OSSIM in a virtual machine being fed by an NTAP at the network edge. It works very well for the most part, though I rarely get above 10mbps. On that same note, I have had the NICs within ESXi choke every now and then during some peak traffic times. Either way is doable. I'd recommend you try the virtual solution first (since you've presumably have the infrastructure in place), and if you don't like the way it functions, switch to a dedicated box. - Mike On Wed, Apr 11, 2012 at 8:22 AM, Corbin Fletcher <corbin () freeway com> wrote:
Greetings Snort community, I am a member of a small team who operates a data center. Our company provides VoIP services for corporations. We utilize primarily open source application. We run Debian and CentOS, FreeSwitch, OpenSIP, MySQL Elastix, FreePBX, Proxmox, etc. We receive a good number of SIP brute force attacks, and other security breaches on our network. And this is the reason for my email. As a team we have agreed to implement a Snort sensor as a NIDS. We are currently not running any IDS and we rely on analyzing logs to be alerted to our network attacks. I would like to install a Snort sensor at the edge of our network on its own dedicate machine and have it sniff all network traffic. Another team member wants to run Snort on a Proxmox cluster in a virtual environment. Can anyone advise about the pros and cons for each approach? Or, could someone please advise on best practices for implementing a Snort sensor on our network? Thanks in advance. ~Corbin ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort sensor on virtual machine...[?] Corbin Fletcher (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)
- Re: snort sensor on virtual machine...[?] Corbin Fletcher (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)