-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jim,
I'm not familiar with the specs of the CPU you're using on your
sensor/bridge but since the traffic volume is pretty low I think
you'll do fine on almost any modern system. Just make sure you set
your stream memcaps fairly high (in excess of 256MB, maybe more like
512MB) and you tune your rules so that you aren't burning a lot of
clock cycles looking for stuff that's never going to happen.
As for the distro to put it on, whatever you're comfortable with is
probably best because you can concentrate on the sensor software and
not have to spend a lot of time figuring out the underlying system.
-Marty
On Mar 16, 2007, at 7:34 AM, Page-Zone Web Hosting wrote:
> In the 3-4 days I've been losing sleep over this awesome program, I
> have
> a few questions. I've pored over every possible online resource for
> the
> past few days and have a system up and running although it has a long
> way to go. I'm not even sure its working right, and haven't managed to
> get the inline portion working, but have managed to get traffic to go
> through the box.
>
> My question is does this hardware setup / network scenario seem like a
> workable system and can anyone give me any recommendations:
>
> The network is a 100mbit downlink to about 14 LAMP servers on the
> same c
> class /24 serving about 10,000 low traffic websites. The downlink goes
> into a managed SMC6224M Tiger switch.
>
> Many of the sites are running mass distributed web apps such as
> wordpress, forum scripts, and just about every other script that
> can be
> downloaded for free, installed and abandoned by the webmaster/
> hobbyist.
> Leaving us to worry about it getting exploited. Most sites are small
> business brochure or hobby sites. We have a lot of protections in
> place
> but never enough.
>
> The 95% bandwidth usage is about 10mbps with bursts of 20mbps
> occasionally, so I imagine the key number there is 20mbps.
>
> Budget is fairly low, for instance, aanval has been purchased and was
> considered expensive.
>
> My plan is to install Snort-inline on a transparent bridge on a spare
> dual Opteron 270, 2GB ECC ram to start (its all I have spare right
> now).
> 3ware 8000 series SATA raid 1, Tyan 3870 mainboard which has two on
> board 10/100/1000 LAN connections Intel i82541PI, can be seen here
> http://www.newegg.com/Product/Product.asp?Item=N82E16813151041
>
> Will the hardware setup listed above handle that type of network? Or
> better yet, what degree of rule checking could I accomplish. Every
> server runs an individual instance of mod_security with a 200kb set of
> rules and seems to keep up pretty well. The servers are of the same
> specs except that they are Opt. 275's & 285's.
>
> Instead of an expensive bypass switch I plan to use a spare managed
> switch that the downlink would feed into, and if the Snort box goes
> down
> I could manually turn that port off and another port on which would
> feed
> into the Tiger switch. But haven't tested that yet to see if it
> would work.
>
> My next question, what would be the best distro to put this on, and if
> anyone has any suggestions, or pitfall warnings I'd be very glad to
> hear
> them.
>
> Thanks for any suggestions you may have.
>
>
>
> --
> Thank You,
> Jim Snape
> Page-Zone Web Hosting
> http://www.page-zone.com
>
>
> ----------------------------------------------------------------------
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFF+qLoqj0FAQQ3KOARAjgqAJ98Hw7alWIAleOtirRE7l+xoDsOtgCfX7/K
2HJSmf+kndMNc6HXg41Ih5I=
=KKKk
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|