[Snort-users] IDS Question

I work at a small community college and I want to implement an IDS
solution for one of the campuses. There is approximately 400 machines
here utilizing a 5mbit link. Bandwidth on this link is typically
between 1.5-2 mbit.

What I have so far is a freebsd box running snort, ipfm, and openbsd's
pf. Basically I want to monitor suspicious activity/excessive
bandwidth usage and tickle the packet filter rules accordingly so that
we may isolate/block the traffic for further analysis.

If I had 2 gigabit nics, one in one out, and maybe another 100mbit nic
acting as the monitor (passive tap) would this box be able to do its
job without introducing lag? I would basically be placing the box
between the main switch and a cisco 2600. My biggest concern is
whether or not the forwarding of all this traffic though the machine
will introduce latency, and if so how much. I would suspect that
because all the info is being picked up on the passive tap that things
shouldnt slow down too much.

If anyone could offer some tips or thoughts about this setup it would
be greatly appreciated.

Thanks.

-p


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users