Re: [Snort-users] IDS Question
This is a discussion on Re: [Snort-users] IDS Question within the Snort forums, part of the System Security and Security Related category; ----- Original Message ----- From: "Paul Halliday" <paul.halliday@gmail.com> To: <snort-users@lists.sourceforge.net&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-17-2004
|
|||
|
|||
Re: [Snort-users] IDS Question
----- Original Message ----- From: "Paul Halliday" <paul.halliday@gmail.com> To: <snort-users@lists.sourceforge.net> Sent: Monday, August 16, 2004 9:33 AM Subject: [Snort-users] IDS Question > I work at a small community college and I want to implement an IDS > solution for one of the campuses. There is approximately 400 machines > here utilizing a 5mbit link. Bandwidth on this link is typically > between 1.5-2 mbit. > > What I have so far is a freebsd box running snort, ipfm, and openbsd's > pf. Basically I want to monitor suspicious activity/excessive > bandwidth usage and tickle the packet filter rules accordingly so that > we may isolate/block the traffic for further analysis. > > If I had 2 gigabit nics, one in one out, and maybe another 100mbit nic > acting as the monitor (passive tap) would this box be able to do its > job without introducing lag? I would basically be placing the box > between the main switch and a cisco 2600. My biggest concern is > whether or not the forwarding of all this traffic though the machine > will introduce latency, and if so how much. I would suspect that > because all the info is being picked up on the passive tap that things > shouldnt slow down too much. I have a Pent III-500 (SuSE 8.0 Pro Linux) using snort 2.2.0 in daemon mode which sniffs an avg of 1-2mbit/sec traffic with no packet drops at all. Using 10/100 NIC, connected to the internal i/f of the PIX via a span port on our 3550. This box has 256MB of RAM, a 8GB SCSI (20mbit/sec Transfer Rate), and 3 x dual 10/100 Intel NIC's w/400mbit/sec throughput (per card), our environment is 4 T-1's (max of 6mbit/sec bi-directional). If you use cisco switches, look at enabling port monitor or port span to mirror all of your traffic onto a single port on the switch, and this is where you attach your snort sensor. I'd imagine this box could easily analyze 5-10mbit/sec w/NO problem what so ever (this machine was built out of spare parts, btw), and the NIC's which handle snort are set up in promisc. mode w/NO ip address assigned to the card to cut down on traffic from the box itself. Bill ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
