[Snort-users] New install questions.
Sallee, Stephen (Jake)
Jake.Sallee at ...15646...
Wed Mar 6 15:30:30 EST 2013
I am looking at building a snort server to sniff my internet traffic. If anyone has the time and/or the inclination I would very much appreciate any input you may have.
Any server I use would need to be able to deal with constant ~250 Mb/sec of traffic as well as peak between 450-500Mb/sec. Also there is the distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and adding an Internet 2 link as well @ 2x1Gb/sec. Please volunteer your thoughts on the following:
1) Normally where would you deploy a SNORT IDS? My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall.
2) What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).
3) Homebrew vs. Vendor. Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in general. But, is the GUI and support necessary? If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first?
I am sure other questions will follow but I will not tire you further for now. Thank you in advance.
Godfather of Bandwidth
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users