Snort mailing list archives
Re: New install questions.
From: Heine Lysemose <lysemose () gmail com>
Date: Wed, 6 Mar 2013 21:55:01 +0100
Hi Jake 1. Place the IDS on the inside of your firewall. I think one once said as close the the clients as possible. 2. Plenty of both CPU and RAM. As much as the server can hold. 3. I encourage you to take a look at SecurityOnion, http://securityonion.blogspot.com /Lysemose On Mar 6, 2013 9:46 PM, "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu> wrote:
I am looking at building a snort server to sniff my internet traffic. If anyone has the time and/or the inclination I would very much appreciate any input you may have.**** Any server I use would need to be able to deal with constant ~250 Mb/sec of traffic as well as peak between 450-500Mb/sec. Also there is the distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and adding an Internet 2 link as well @ 2x1Gb/sec. Please volunteer your thoughts on the following:**** ** ** **1) **Normally where would you deploy a SNORT IDS? My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall.**** ** ** **2) **What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).**** ** ** **3) **Homebrew vs. Vendor. Sourcefire makes what I consider to be the gold standard of snort based IDS … or IDS in general. But, is the GUI and support necessary? If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first?**** ** ** I am sure other questions will follow but I will not tire you further for now. Thank you in advance.**** ** ** ** ** ** ** Jake Sallee**** Godfather of Bandwidth**** System Engineer**** University of Mary Hardin-Baylor**** 900 College St.**** Belton TX. 76513**** Fone: 254-295-4658**** Phax: 254-295-4221**** HTTP://WWW.UMHB.EDU**** ** ** ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Heine Lysemose (Mar 06)
- Re: New install questions. Joel Esler (Mar 06)
- Re: New install questions. Doug Burks (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Greg Williams (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Gregory W. MacPherson (Mar 11)
- Re: New install questions. Greg Williams (Mar 07)
- <Possible follow-ups>
- Re: New install questions. Sallee, Stephen (Jake) (Mar 07)