[Snort-users] Choosing Linux Platform for a Snort deployment
bet at ...6163...
Mon Dec 29 07:31:04 EST 2003
2003-12-29T10:09:16 John Cunningham:
> I am most familiar with Redhat (what version these days?) but can
> be flexible.
I used 7.3 (when it was current) very successfully.
If I were doing one today, I'd use Fedora, unless I were working in
a shop that had a site-wide license for RHEL3, in which case I'd use
that (such shops want the support).
In any case, I'd do a minimal install, with Networking as the only
optional component, I'd then strip out any daemons that are
listening on network ports (lsof -Pni is good for discovering them),
then install rpms for snort-2.1.0 and snortrules. If you don't want
to use rpm for your config mgmt for your ruleset, you can use one of
the automated tools other folks have developed.
> We plan on spanning ports, none of which should push 100mb but one
> of the interfaces is gig link (overkill).
Should be easy to handle with a modern box. Give it a gig of memory,
ram is cheap. Heck, give it whatever your budget swings for, it
seems like successive generations of snort enjoy more and more
memory to buy additional performance.
 Actually, I do lie, if I were doing this I'd create a custom
distro for the job that boots off CD and runs entirely out of an
initrd, logging with syslog-ng only to a central log server, no
local logs at all. But not just everybody would be keen on that
sort of in-house hackery:-). Hint: syslinux makes it easy to get
the thing up in the air; an initrd is just a gzip -9 compressed
ext2 initially populated via loopback mount; and a monolithic
kernel + a statically linked busybox is a clean and sweet base
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users