?
Solved

Hardware/OS requirement for SNORT/Suricata

Posted on 2013-12-11
3
Medium Priority
?
6,789 Views
Last Modified: 2016-11-23
I am planning to install a Passive network monitoring system within a firewall protected network of 10 (may grow to 20 computers eventually) with 100 mbits/sec.  What hardware do I need for SNORT or Suricata and what OS is the best suitable for them?

Is this a good choice or totally overkill?
Dell PowerEdge R620, Intel Xeon E5-2440 2.40GHz, 16GB, 2x 1TB SATA, RAID 1, Dual Port 1GBE Networking card
0
Comment
Question by:tommym121
3 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 39713119
The NIC and CPU are the most important parts. Suricata is able to take advantage of multiple CPU's and Threads, while Snort is single threaded. But you can run more than one instance of snort to use more than one thread if need be.

You should have on NIC that is IP'd, and one that does the sniffing on the span/mirror port(s). If you need more than the two that's fine, just add in another Gb nic. The faster the NIC is capable the better.

The OS does make a difference as well, Linux is able to give you access the packets in a variety of ways, PF_Ring is probably the best way to use Suricata.
http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source_4.html
-rich
1
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 39713163
A nice article on capacity planning for the ids snort.
http://mikelococo.com/2011/08/snort-capacity-planning/

Windows not really preferred. E.g. shared-object rules do not function on windows as of Snort 2.9.0.5. Also for capture traffic capability, if any individual link exceeds about 200Mbits/sec, you need employ a capture framework that features load-balancing and select a compatible interface. It can be inbuilt OS or external LBs.

Understand it may be possible to run multiple snort in multple CPU single hw but it tends to be too complex to delve further,  so Suricata fit in then. Nonetheless even Suricata has scaled up to support to 10Gbps...

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
0
 

Author Closing Comment

by:tommym121
ID: 39755964
thanks
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question