[Snort-users] running it all on 1 box....

Scott Renna srenna at ...9588...
Mon Jul 7 12:53:10 EDT 2003


I'm still testing out Snort and its associated peripherals on a system
here at work, however, my problem is that my company doesn't seem to
want to spend money....ever.  Basically here's what I got going on.  I'm
running the demo system right now as a 266 with 64MB of RAM. 

I'm wondering....how much am I going to actually be able to run on that
box, and have the system keep up with the work.  I've been running tests
and barnyard seems to be able to keep up with the alerts it receives
from snort(it takes it a few minutes to actually process through it all
and then write to the appropriate log files).  Is it a good idea to even
ATTEMPT to run PostgreSQL and Apache and ACID? 

Also, I've read in many of the guides that it is preferred to running
the database on a separate system on the "inside".  While I can see this
would be a good idea(since if the Snort box got hacked the information
could be removed), it also opens up a door into the Internal Network.
What type of filtering and protection schemes have you all tried that
have a setup like this?  I would think IPFW would be the logical choice,
but would like some feedback.



Scott Renna
Head Systems Administrator
Dynamic Animation Systems


More information about the Snort-users mailing list