[Snort-users] Recommended hardware for running snort in packet logging mode on home network proxy?

Greg Williams gwillia5 at ...15920...
Sat Mar 23 10:40:05 EDT 2013


For home I use a customized version of Security Onion on a core 2 duo with 2 gb of ram. The machine runs as a router for my ISP as well so the modem is set to bridged mode.  I have 2 NICs in it one, one incoming from the modem, the other one bridged to the PPP connection going my wireless router and the wireless router goes into another switch for my wired ports around the house.  Works perfectly so there is essentially no way to bypass my connection.  I also have it logging Snort/Bro information to Splunk so I have non repudiation built into the logging system.  By default Security Onion runs Bro IDS and Snort,  Bro logs all DNS and HTTP requests and those logs go into Splunk as well.  Splunk sends me at midnight each night a report of all firewall hits off the computer.  Also I use OpenDNS to stop accidental "blocked" site DNS requests.  I wrote scripts to start everything up automatically so if the power goes out I don't have to come home and start up the PPP connection and firewall bridge manually if the power goes out.


Greg Williams
IT Security Principal
University of Colorado at Colorado Springs

________________________________________
From: Mike Miller [mike at ...16027...]
Sent: Friday, March 22, 2013 8:02 PM
To: John Michael Kane
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Recommended hardware for running snort in packet     logging mode on home network proxy?

Net gear makes a managed switch that'll mirror traffic, it's not expensive, look for a GS105e (specifically....there are other similar ones that are NOT managed) it'll be about $70 and has enough ports to monitor two segments ( inside and DMZ in my case)

And anything Pentium4 or newer oughta handle home traffic.

On Mar 22, 2013, at 6:35 PM, John Michael Kane <johnmkane05 at ...11827...> wrote:

> Guys,
>
> I want to position a squid proxy in between my home PCs and my ISP-supplied broadband modem/router, probably running some version of Debian. What would be the recommend hardware spec for running this with snort in packet-logging (to file) mode (and does the IDS functionality still work while packet logging is enabled?) bearing in mind it's just a home network with about 7-8 devices max connecting at any one time.
>
> Also would I experience much of an increase in latency on my connected devices by adding this extra hop? Most demanding network activity would probably be HD streaming between a DLNA server and client machine.
>
> Also I'd probably want to allow both wired and WiFi connections into this proxy from the PCs (with a single outgoing wired connection direct to the modem). Can snort monitor two incoming network adapters, one WiFI one ethernet? Or it could just monitor the outgoing ethernet connection I guess?
>
> Thanks for any pointers in the above three areas.
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list