[Snort-users] deployment advice

Daniel de Young daniel at ...10155...
Tue Sep 23 19:05:06 EDT 2003

okay, i'm in the planning stages of a new snort box and could use some

here is the setup (low volume network)...

|   router/fw   | ss20 sm71 w/qfe obsd+pf
|||| 4 links being monitored
|    switch     | cisco 2924xl
    |||| 4 span ports
|   snort ids   | ultra2 2x200 w/qfe

highlights are:

1. monitor wan, dmz, lan, admin vlans (no tags)
2. snort on a ultra2 2x200 256mb qfe
3. acid/postgres front end (on another box)

from the caswell + et al book and faq i gather the following:

1. in order to monitor multiple interfaces, i'll need to do one of the

  A. run multiple instances of snort
  B. use a bridge interface
  C. use a snort patch that allows me to specify "any" for interface

2. if i'm not running multiple instances i'll need to specify something
like the following:

var HOME_NET [,,etc]

preprocessor portscan: 5 60 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: etc

my questions are:

1. what are your suggestions for os (no holy wars!)? normally i run
openbsd, but i'll need smp this time. i figure my choices are solaris,
netbsd, linux. i gather that my next question may have sway on the
answer since some methods are os dependent.

2. i'd like for each segment's data to be logged/stored separately for
easy analysis from the database. which method of running multi-if lends
itself best to this goal? would it be multiple instances?

3. any other suggestions based on what you see?



More information about the Snort-users mailing list