[Snort-users] Linux of FreeBSD

Abe L. Getchell abegetchell at ...530...
Mon Nov 26 12:31:30 EST 2001


Hi Olev,

This question has been asked many times in recent days on this list and
the best advice I can give after considering all the options on the
market, opinions posted here, as well as personal experience, is to run
it on what you know the best.  If you know the Linux side of things, run
it on Linux.  If you know the FreeBSD side of things, run it on Linux...
Er, I mean FreeBSD. ;-)

That being said, I'm currently testing a sensor on (a highly modified
and stripped down configuration of) Red Hat Linux 7.2 on our production
network and it's chugging right along.  I have the box monitoring one of
our DS3's running at capacity (45Mbit), and it's showing no signs of
stress with processor utilization sitting right around 30%-40% on a PIII
1GHz.  That being said, I have spent ample time tuning the rules for our
environment; it's not just a default set of sigs that packets are being
checked against.

To stress it again, run it on what you know the best.  Spend your time
tuning the operating system, tuning Snort, and tuning the Snort rules
rather than trying to decide what OS to run it on.  The benefit of the
work you put in on getting it to run on _your_ system well will far
out-weigh the benefits of picking one OS over the other.

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Olav Langeland
> Sent: Monday, November 26, 2001 10:18 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Linux of FreeBSD
> 
> 
> I am seeking advice on what is best suited for Snort use, 
> Linux or FreeBSD. It will monitor either a dual E3 link 
> (currently at 50%
> capacity) or a single port producing about 30-40Mbit. Will 
> Debian Linux handle this kind of traffic without problem, or 
> is FreeBSD a better choice? The machine in question is 
> P3-800, 512MB Ram and SCSI raid. 
> Thanks for any help.
> 
> -- 
> Olav Langeland <> olav.langeland at ...2038...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 





More information about the Snort-users mailing list