[Snort-users] Design questions...

Jeremy Finke Jeremy.Finke at ...7343...
Tue Oct 29 13:05:01 EST 2002


Exactly... That is the plan..  However, I am wondering what type of box
is going to be needed.  I can get a 2U rack dual PIV Xeon for $3700.
Add in some dual nic cards or quad cards and it becomes a cheaper
solution than buying a bunch of individual servers.  My question is is
that a big enough box?  I am aware of commercial solutions, however,
that costs lots o' money.  I would use old hardware, but this is going
to be sitting in a rack in a data center.  So, the old boxes would be
taking up too much room.

Thanks!

Jeremy

-----Original Message-----
From: larc [mailto:larc at ...1187...] 
Sent: Tuesday, October 29, 2002 9:44 AM
To: Randy Bey; snort-users at lists.sourceforge.net
Subject: Re: RE: [Snort-users] Design questions...


>you will incur the wrath of the security gods having a
>machine that bypasses the firewall.

Then you can use network taps, I use multi-homed boxes and every
sniffing interface is running in stealt mode (no ip-address) and is
connected to it's own tap. So there is no way to bypass the firewall.

Stefan D.
------------------------
 "Randy Bey" <Randy.Bey at ...6683...> wrote:
------------------------
Don't have any good info for you but another consideration regarding
>multi-homed box:
>If one sensor is outside firewall and another is inside, (a common 
>scenario), you will incur the wrath of the security gods having a 
>machine that bypasses the firewall.
>
>Randy Bey
>RiverNorth Systems
>7300 W 147th St Suite 300
>Apple Valley, MN 55124
>http://www.rivernorthsys.com
>
>-----Original Message-----
>From: Jeremy Finke [mailto:Jeremy.Finke at ...7343...]
>Sent: Tuesday, October 29, 2002 8:46 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Design questions...
>
>Hi, hopefully, my email is sorted out now and this will get through...
>I have some performance questions that I hope that someone would be
able
>to help me out with. 
>I am trying to convince my boss to start implementing snort at a
serious
>level. Problem is, he is a windows/closed source type of guy and I am a
>unix/open source type of guy. I am trying to convince him to buy
>seperate boxes for each of the sensors and then a logging box that has
>its own private network to send data across. Ideally, I would have 4
>snort sensors and one of them be an ACID/PHP/MySQL log server. He does
>not want to pay for all the boxes because he thinks that they are going
>to cost $2.5k a pop. I think that we can go with a non major vendor
>(pogo linux, penguin computing, etc....) and get it cheaper, but that
is
>a different story. 
>So, he brought up the idea of having one big box and having multiple
>nics. Now, I know that this can easily be done using multiple snort
>processes/conf files/etc... However, I am wondering about the
>performance of such a beast. What type of horsepower do I need to
>monitor 2 T1s (on seperate networks) and 2 100MB networks (also
>seperate)? Also, it will probably be running the database as well, on a
>seperate network. Can people give me an idea of what they are running
>out there? 
>Thanks! 
>Jeremy Finke 
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf _______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list