Snort mailing list archives

Previous By Date Next
Previous By Thread Next

deployment advice

From: Daniel de Young <daniel () velvetsea com>
Date: 23 Sep 2003 19:00:24 -0700
okay, i'm in the planning stages of a new snort box and could use some
feedback/suggestions.

here is the setup (low volume network)...

-----------------
|   router/fw   | ss20 sm71 w/qfe obsd+pf
-----------------
||||
|||| 4 links being monitored
||||
-----------------
|    switch     | cisco 2924xl
-----------------
    ||||
    |||| 4 span ports
    ||||
-----------------
|   snort ids   | ultra2 2x200 w/qfe
-----------------

highlights are:

1. monitor wan, dmz, lan, admin vlans (no tags)
2. snort on a ultra2 2x200 256mb qfe
3. acid/postgres front end (on another box)

from the caswell + et al book and faq i gather the following:

1. in order to monitor multiple interfaces, i'll need to do one of the
following:

  A. run multiple instances of snort
  B. use a bridge interface
  C. use a snort patch that allows me to specify "any" for interface

2. if i'm not running multiple instances i'll need to specify something
like the following:

var HOME_NET [10.10.10.0/24,192.168.1.0/24,etc]

preprocessor portscan: 0.0.0.0/0 5 60 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: 10.10.10.0/24 192.168.1.0/24 etc


my questions are:

1. what are your suggestions for os (no holy wars!)? normally i run
openbsd, but i'll need smp this time. i figure my choices are solaris,
netbsd, linux. i gather that my next question may have sway on the
answer since some methods are os dependent.

2. i'd like for each segment's data to be logged/stored separately for
easy analysis from the database. which method of running multi-if lends
itself best to this goal? would it be multiple instances?

3. any other suggestions based on what you see?

thanks,

-daniel



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: