[Snort-users] HW Specs

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Thu Nov 24 03:41:03 EST 2005


--On 23 November 2005 12:21 -0500 "Timothy A. Holmes" 
<tholmes at ...13578...> wrote:

> I have gotten snort and base set up and running (I think properly) but I
> have not yet started to tweak the rules etc.
>
> Right now, the sensor and the database are combined into one box set up
> as follows:
>
> Pentium 4 HT box, 1gb Memory 40gb HDD - not scsi
> 2 interfaces:
> 	- One Intel Pro1000 on the board -- has an ip on it -- used for
> management
> 	- One Belkin 10/100 PCI card -- no IP used as the sniffing
> interface right now

Depending on the chipset used on the Belkin card, you might get better 
performance the other way around. The Intel drivers are particularly good.

> Running MySQL and BASE -- Set up per Patrick Harpers instructions
>
> The sensor is currently placed between the cable modem and the Firewall
> on a hub,  to monitor the outside traffic
>
> I would like to be able to use the second Interface as a second sniffer
> port, to take a look at internal traffic.

You have a number of choices; you can either run two snort processes (one 
on each i/f), or you can use bonding to tie two or more ports together to 
create a unified bond0 device and have snort listen to that. The advantage 
of the latter is that snort can then track state of connections that it 
sees on all bonded interfaces. OTOH, if you have a multi-processor machine, 
you may wish to run multiple snort instances in order to get the most out 
of the second and subsequent CPU(s).

I'd suggest using a third NIC, rather than using your management interface, 
especially if you go the bonding route.

To create a bonded interface on RH-alike OSs, do the following:

1) create rc.modules if it doesn't exist, and modprobe the 'bonding' kernel 
module:

# cat /etc/rc.modules
#!/bin/sh

modprobe bonding

2) create /etc/sysconfig/network-scripts/ifcfg-bond0:

# cat /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
USERCTL=no
ONBOOT=yes
BOOTPROTO=none

3) create/modify /etc/sysconfig/network-scripts/ifcfg-eth* for each 
interface you wish to be a slave of bond0:

# cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
BOOTPROTO=dhcp
HWADDR=DE:AD:C0:ED:BA:BE
ONBOOT=no
TYPE=Ethernet
MASTER=bond0
SLAVE=yes

4) Restart appropriate services, or reboot.

5) start snort with '-i bond0' instead of '-i eth2' or whatever.

> Also, I would like to hear others recommendations about how to set up the 
> logging etc.  Some have recommended using a separate box for logging etc, 
> I don't care on that issue, whatever works well is fine with me.

Running the sensor and the database on separate hosts is worthwhile. Also, 
you should use a spool processor (barnyard, mdupit, or my preference, FLoP) 
in between snort and the database for maximum efficiency.

> TIM

HTH,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list