[Snort-users] deployment advice

Daniel de Young daniel at ...10155...
Tue Sep 23 19:05:06 EDT 2003


okay, i'm in the planning stages of a new snort box and could use some
feedback/suggestions.

here is the setup (low volume network)...

-----------------
|   router/fw   | ss20 sm71 w/qfe obsd+pf
-----------------
||||
|||| 4 links being monitored
||||
-----------------
|    switch     | cisco 2924xl
-----------------
    ||||
    |||| 4 span ports
    ||||
-----------------
|   snort ids   | ultra2 2x200 w/qfe
-----------------

highlights are:

1. monitor wan, dmz, lan, admin vlans (no tags)
2. snort on a ultra2 2x200 256mb qfe
3. acid/postgres front end (on another box)

from the caswell + et al book and faq i gather the following:

1. in order to monitor multiple interfaces, i'll need to do one of the
following:

  A. run multiple instances of snort
  B. use a bridge interface
  C. use a snort patch that allows me to specify "any" for interface

2. if i'm not running multiple instances i'll need to specify something
like the following:

var HOME_NET [10.10.10.0/24,192.168.1.0/24,etc]

preprocessor portscan: 0.0.0.0/0 5 60 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: 10.10.10.0/24 192.168.1.0/24 etc


my questions are:

1. what are your suggestions for os (no holy wars!)? normally i run
openbsd, but i'll need smp this time. i figure my choices are solaris,
netbsd, linux. i gather that my next question may have sway on the
answer since some methods are os dependent.

2. i'd like for each segment's data to be logged/stored separately for
easy analysis from the database. which method of running multi-if lends
itself best to this goal? would it be multiple instances?

3. any other suggestions based on what you see?

thanks,

-daniel





More information about the Snort-users mailing list