[Snort-users] Linux of FreeBSD

Erek Adams erek at ...577...
Mon Nov 26 08:17:03 EST 2001


On Mon, 26 Nov 2001, Olav Langeland wrote:

> I am seeking advice on what is best suited for Snort use, Linux or
> FreeBSD. It will monitor either a dual E3 link (currently at 50%
> capacity) or a single port producing about 30-40Mbit. Will Debian Linux
> handle this kind of traffic without problem, or is FreeBSD a better
> choice? The machine in question is P3-800, 512MB Ram and SCSI raid.


Well, you're about to get into a Holy OS War, but other than that...  Friends
don't let friends use RedHat.  :-)

Keep this fact in mind:  Run snort on _your_ OS first.  If it fails, or drops
packets, YOU (as an admin) will see and notice that.  On stuff you know, it's
easier to understand and fix.  Then if you can't fix it, try another OS.
That's the long and short of it from the trenches.

Now, the email below is from Marty.  He was discussing a few things and one of
the things asked was Hardware and OS reccomendations.  He had the following to
say....

(Oh, some parts snipped for brevity, but the headers are intact so you can
check the archives if you _really_ want to.  :)

--Begin Marty's Email--

Date: Wed, 03 Oct 2001 01:11:32 -0400
From: Martin Roesch <roesch at ...1935...>
To: snort-users <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort project update

[...snip...]

4) Hardware/OS recommendations

Ok, here are the guidelines and some parameters.  Intrusion detection is
turning into one of the most high performance production computing
fields that is in wide deployment today.  If you think about the
requirements of a NIDS sensor and the constraints that they are required
to operate within, you'll probably start to realize that it's not too
hard to find the performance wall with a NIDS these days.

The things a NIDS needs are:

MIPS (Fast CPU)
RAM  (More is *always* better)
I/O  (Wide, fast busses and high performance NIC)
AODS (Acres Of Disk Space)

A NIDS also needs to be pretty quick internally at doing its job.
Snort's seen better days in that regard (when 1.5 came out the
architecture was a lot cleaner) but it's still considered to be one of
the performance leaders available.

As for OS selection, use what you like.  When we implement Data
Acquisition Plugin's in Snort 2.0 this may become more of a factor, but
for now I'm hearing about a lot of people seeing alot of success using
Snort on Solaris, Linux, *BSD and Windows 2000.  Personally, I develop
Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance
OS, but I've been hearing some good things about the RedHat Turbo Packet
interface (which would require mods for Snort to use, not to mention my
general objection to RedHat's breaking stuff all the time).

[...snip...]

--End Marty's Email--

Hope that helps!


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list