[Snort-users] IDS Question

Paul Halliday paul.halliday at ...11827...
Mon Aug 16 09:34:04 EDT 2004


I work at a small community college and I want to implement an IDS
solution for one of the campuses. There is approximately 400 machines
here utilizing a 5mbit link. Bandwidth on this link is typically
between 1.5-2 mbit.

What I have so far is a freebsd box running snort, ipfm, and openbsd's
pf. Basically I want to monitor suspicious activity/excessive
bandwidth usage and tickle the packet filter rules accordingly so that
we may isolate/block the traffic for further analysis.

If I had 2 gigabit nics, one in one out, and maybe another 100mbit nic
acting as the monitor (passive tap)  would this box be able to do its
job without introducing lag? I would basically be placing the box
between the main switch and a cisco 2600. My biggest concern is
whether or not the forwarding of all this traffic though the machine
will introduce latency, and if so how much. I would suspect that
because all the info is being picked up on the passive tap that things
shouldnt slow down too much.

If anyone could offer some tips or thoughts about this setup it would
be greatly appreciated.

Thanks.
-- 
_________________
Paul Halliday
http://dp.penix.org

"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."




More information about the Snort-users mailing list