Snort mailing list archives
Re: Question for the Group??
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Mon, 10 Feb 2003 17:50:49 -0500
Regardless of the technical merits of Microsoft vs Unix style solutions, probably the biggest benefit of running snort on a Unix system is that both snort and libpcap are tools which are designed and written to be run on a Unix system.
Running them on Windows works, and works pretty well, but it is a port of a Unix tool to an alternate platform. Occasionally there's some portability limitations, such as the previous lack of SMP support in winpcap (recently resolved).
Also, since snort is a Unix-style tool, it is configured in a unix-ish fashion, which isn't such a big deal, but does stick out as a misfit amidst the crowd of Windows-style apps on a Windows box.
One could also argue that Unix would be significantly better on a minimal-hardware type configuration, as you can set it up to boot in console-only mode and save the memory that would otherwise be used to run a GUI that you probably don't need. (I've made snort run pretty well for a cable-modem setup under a stripped-down Linux install on a 486 with 12mb of ram)
In general however, I'd pick the style of box you KNOW for sure that you can lock-down into a highly intrusion resistant system. If you're completely clueless as to how to patch and secure a Unix box, running one is probably just as bad as running a windows box with only minimal security knowledge. If you're not well versed in securing either platform, I strongly suggest you learn how before setting up a machine which has an ideal position in the network to engage in spoofing attacks against other machines in your network, as most snort sensors are.
At 01:46 PM 2/10/2003 -0800, Snow Jacob C KPWA wrote:
Kind of an add on question to this but slightly off topic is what is the benefit for running this configuration on a Linux machine/machines vs. running this setup on a win2k server/pro box? Thank you, Jacob Snow jacobsc () kpt nuwc navy mil (360)315-3487 NAVSEA Intern
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question for the Group?? Snow Jacob C KPWA (Feb 10)
- <Possible follow-ups>
- Re: Question for the Group?? Matt Kettler (Feb 10)