Re: [Snort-users] How to setup inline

What would the hardware requirements be on a system to run inline for
snort? Will be using it at the headend of a WISP, with currently approx
850 customers. I have a AMD Sempron +1800 with 1gb ram and 2 80gb hdds
setup in Raid0.
Will that be sufficient to handle the load?

Mike

Eric Hines wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Mike,
>
>Answer 1) Yes, you will want (3) NICs on your box. Pop a new NIC in
>there. When you bridge it, you will have br0 for example, which will
>comprise a bridge of eth1 and eth2. Make eth0 your management interface
>and give it an IP.
>
>eth0: 192.168.0.1
>eth1: 0.0.0.0
>eth2. 0.0.0.0
>
>Answer 2) Snort-Inline uses netfilter, ipqueue, etc for dropping
>packets. Their are numerous writeups on how to set this up.
>
>Answer 3) Specifying which attacks are dropped is done using the drop,
>sdrop, etc. keywords in the action of the individual signature.
>
>
>I hope this helps.
>
>
>
>Best Regards,
>
>Eric Hines, GCIA, CISSP
>CEO, President
>Applied Watch Technologies, LLC
>
>
>- ---------------------------------------------
>
>Eric Hines, GCIA, CISSP
>CEO, President
>Applied Watch Technologies, LLC
>1095 Pingree Road
>Suite 213
>Crystal Lake, IL 60014
>Toll Free: (877) 262-7593 ext:327
>Direct: (847) 854-2725 ext:327
>Fax: (847) 854-5106
>Web: http://www.appliedwatch.com
>Email: eric.hines@appliedwatch.com
>
>- --------------------------------------------
>
>"Enterprise Open Source Security Management"
>
>
>Mike Montgomery wrote:
>
>
>>Hello,
>>
>>I recently setup a box running snort at our headend, its not inline as
>>of now, but its using a monitor port on a cisco 2950. What would be the
>>ideal setup to put the box inline? I currently have 2 nics in this box,
>>1 on the monitor port, 2nd is the nic I use to connect to the box for
>>console. To go inline, would I need 3 nics total, 1 in, 1 out, and set
>>them to be bridged? Or what. If I wanted snort to drop the packets for
>>say P2P, would snort do that by itself, or would I need to have a
>>firewall running to do that. Just trying to make some sense of this.
>>
>>Thanks
>>
>>Mike Montgomery
>>Citizens Communications Corp.
>>/Systems Administrator/
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>>that extends applications into web and mobile media. Attend the live
>>webcast
>>and join the prime developer group breaking into this new coding territory!
>>http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642
>>______________________________________________ _
>>Snort-users mailing list
>>Snort-users@lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/...fo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.p...st=snort-users
>>
>>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFENs/UbOqF2QHgUK0RAt9kAKCiRMwXhpjDan1Hea8tKvyiEDpSGwCfT L6U
>av1t4MsskJawHohbHvYLams=
>=XHgv
>-----END PGP SIGNATURE-----
>
>
>
>



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users