[Snort-users] Design questions...

larc larc at ...1187...
Tue Oct 29 07:45:02 EST 2002


>you will incur the wrath of the security gods having a
>machine that bypasses the firewall.

Then you can use network taps, I use multi-homed boxes and every sniffing interface is running in stealt mode (no ip-address) and is connected to it's own tap. So there is no way to bypass the firewall.

Stefan D.
------------------------
 "Randy Bey" <Randy.Bey at ...6683...> wrote:
------------------------
Don't have any good info for you but another consideration regarding
>multi-homed box:
>If one sensor is outside firewall and another is inside, (a common
>scenario), you will incur the wrath of the security gods having a
>machine that bypasses the firewall.
>
>Randy Bey
>RiverNorth Systems
>7300 W 147th St Suite 300
>Apple Valley, MN 55124
>http://www.rivernorthsys.com
>
>-----Original Message-----
>From: Jeremy Finke [mailto:Jeremy.Finke at ...7343...] 
>Sent: Tuesday, October 29, 2002 8:46 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Design questions...
>
>Hi, hopefully, my email is sorted out now and this will get through... 
>I have some performance questions that I hope that someone would be able
>to help me out with. 
>I am trying to convince my boss to start implementing snort at a serious
>level. Problem is, he is a windows/closed source type of guy and I am a
>unix/open source type of guy. I am trying to convince him to buy
>seperate boxes for each of the sensors and then a logging box that has
>its own private network to send data across. Ideally, I would have 4
>snort sensors and one of them be an ACID/PHP/MySQL log server. He does
>not want to pay for all the boxes because he thinks that they are going
>to cost $2.5k a pop. I think that we can go with a non major vendor
>(pogo linux, penguin computing, etc....) and get it cheaper, but that is
>a different story. 
>So, he brought up the idea of having one big box and having multiple
>nics. Now, I know that this can easily be done using multiple snort
>processes/conf files/etc... However, I am wondering about the
>performance of such a beast. What type of horsepower do I need to
>monitor 2 T1s (on seperate networks) and 2 100MB networks (also
>seperate)? Also, it will probably be running the database as well, on a
>seperate network. Can people give me an idea of what they are running
>out there? 
>Thanks! 
>Jeremy Finke 
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list