In the 3-4 days I've been losing sleep over this awesome program, I have
a few questions. I've pored over every possible online resource for the
past few days and have a system up and running although it has a long
way to go. I'm not even sure its working right, and haven't managed to
get the inline portion working, but have managed to get traffic to go
through the box.
My question is does this hardware setup / network scenario seem like a
workable system and can anyone give me any recommendations:
The network is a 100mbit downlink to about 14 LAMP servers on the same c
class /24 serving about 10,000 low traffic websites. The downlink goes
into a managed SMC6224M Tiger switch.
Many of the sites are running mass distributed web apps such as
wordpress, forum scripts, and just about every other script that can be
downloaded for free, installed and abandoned by the webmaster/hobbyist.
Leaving us to worry about it getting exploited. Most sites are small
business brochure or hobby sites. We have a lot of protections in place
but never enough.
The 95% bandwidth usage is about 10mbps with bursts of 20mbps
occasionally, so I imagine the key number there is 20mbps.
Budget is fairly low, for instance, aanval has been purchased and was
considered expensive.
My plan is to install Snort-inline on a transparent bridge on a spare
dual Opteron 270, 2GB ECC ram to start (its all I have spare right now).
3ware 8000 series SATA raid 1, Tyan 3870 mainboard which has two on
board 10/100/1000 LAN connections Intel i82541PI, can be seen here
http://www.newegg.com/Product/Product.asp?Item=N82E16813151041
Will the hardware setup listed above handle that type of network? Or
better yet, what degree of rule checking could I accomplish. Every
server runs an individual instance of mod_security with a 200kb set of
rules and seems to keep up pretty well. The servers are of the same
specs except that they are Opt. 275's & 285's.
Instead of an expensive bypass switch I plan to use a spare managed
switch that the downlink would feed into, and if the Snort box goes down
I could manually turn that port off and another port on which would feed
into the Tiger switch. But haven't tested that yet to see if it would work.
My next question, what would be the best distro to put this on, and if
anyone has any suggestions, or pitfall warnings I'd be very glad to hear
them.
Thanks for any suggestions you may have.
--
Thank You,
Jim Snape
Page-Zone Web Hosting
http://www.page-zone.com
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|