[Snort-users] New install questions.

Sallee, Stephen (Jake) Jake.Sallee at ...15646...
Wed Mar 6 15:30:30 EST 2013

I am looking at building a snort server to sniff my internet traffic.  If anyone has the time and/or the inclination I would very much appreciate any input you may have.
Any server I use would need to be able to deal with constant ~250 Mb/sec of traffic as well as peak between 450-500Mb/sec.  Also there is the distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and adding an Internet 2 link as well @ 2x1Gb/sec. Please volunteer your thoughts on the following:

1)      Normally where would you deploy a SNORT IDS?  My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall.

2)      What kind of hardware do I need?  Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right.  I would like to be able to use as many rules as possible, but more rules = more CPU and RAM.  Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).

3)      Homebrew vs. Vendor.  Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in general. But, is the GUI and support necessary?  If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first?

I am sure other questions will follow but I will not tire you further for now.  Thank you in advance.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130306/5632fee5/attachment.html>

More information about the Snort-users mailing list