[TriLUG] Snort questions
Mike Johnson
mike at enoch.org
Fri Nov 12 19:13:17 EST 2004
gregbrown at mindspring.com wrote:
> What I'd like to do it:
>
> Internet -> cable modem -> m0n0wall -> repeater -> home server |
> |------> 2nd card on home server running snort
First, what are you wanting to monitor? Just things that get through
your firewall? Do you have some ports being forwarded through the
firewall? You might consider putting a hub outside your firewall and
putting the second port of your home server in there (with no IP, of
course). Now, you'll need to keep snort up to date to make sure there's
no security holes that might compromise it, but I think you know that.
> At the moment my home "server" is a P-II doing essentially disk
> sharing and acting as a printer server and syslog server for
> m0n0wall. Would running snort crush my meager processor?
Well, that depends on your traffic. I've run a 533 MHz Via C3 CPU
system running a tuned snort/libpcap/kernel that could handle around 30
Mbps (sustained). Given the cable modem, you're looking at around
1.5Mbps, but probably not sustained. So, snort won't be an issue.
However, what about your front end for snort? Are you going to log to a
database? That's where the load starts adding up.
In the end, just try it and see.
Mike
More information about the TriLUG
mailing list