[Snort-users] New install questions.

Heine Lysemose lysemose at ...11827...
Wed Mar 6 15:55:01 EST 2013


Hi Jake

1. Place the IDS on the inside of your firewall. I think one once said as
close the the clients as possible.

2. Plenty of both CPU and RAM. As much as the server can hold.

3. I encourage you to take a look at SecurityOnion,
http://securityonion.blogspot.com

/Lysemose
On Mar 6, 2013 9:46 PM, "Sallee, Stephen (Jake)" <Jake.Sallee at ...15646...>
wrote:

>  I am looking at building a snort server to sniff my internet traffic.
> If anyone has the time and/or the inclination I would very much appreciate
> any input you may have.****
>
> Any server I use would need to be able to deal with constant ~250 Mb/sec
> of traffic as well as peak between 450-500Mb/sec.  Also there is the
> distinct possibility that I will be upgrading my bandwidth to 1Gb/sec and
> adding an Internet 2 link as well @ 2x1Gb/sec. Please volunteer your
> thoughts on the following:****
>
> ** **
>
> **1)      **Normally where would you deploy a SNORT IDS?  My thoughts are
> to deploy it out of band using a monitor session on the internet switch,
> with a dedicated management interface for sending emails and such from the
> snort box. Basically setting it up as a tap on the outside interface of my
> firewall.****
>
> ** **
>
> **2)      **What kind of hardware do I need?  Since this is my internet
> sniffer it will be seeing some rather exotic traffic and will need some
> careful tuning to get right.  I would like to be able to use as many rules
> as possible, but more rules = more CPU and RAM.  Given that, what kind of
> hardware am I looking at to be able to use a good and thorough rule set
> while not getting bogged down under peak conditions (theoretically about
> 3Gb/sec).****
>
> ** **
>
> **3)      **Homebrew vs. Vendor.  Sourcefire makes what I consider to be
> the gold standard of snort based IDS … or IDS in general. But, is the GUI
> and support necessary?  If I can successfully demo and deploy this tech on
> a homebrew box could I get professional support without buying the hardware
> from a vendor like sourcefire, or should I skip the roll-your-own setup and
> go for broke with a fully supported platform first?****
>
> ** **
>
> I am sure other questions will follow but I will not tire you further for
> now.  Thank you in advance.****
>
> ** **
>
> ** **
>
> ** **
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton TX. 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> HTTP://WWW.UMHB.EDU****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130306/6483ce68/attachment.html>


More information about the Snort-users mailing list