Solved

Hardware/OS requirement for SNORT/Suricata

Posted on 2013-12-11
3
4,605 Views
Last Modified: 2016-11-23
I am planning to install a Passive network monitoring system within a firewall protected network of 10 (may grow to 20 computers eventually) with 100 mbits/sec.  What hardware do I need for SNORT or Suricata and what OS is the best suitable for them?

Is this a good choice or totally overkill?
Dell PowerEdge R620, Intel Xeon E5-2440 2.40GHz, 16GB, 2x 1TB SATA, RAID 1, Dual Port 1GBE Networking card
0
Comment
Question by:tommym121
3 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 39713119
The NIC and CPU are the most important parts. Suricata is able to take advantage of multiple CPU's and Threads, while Snort is single threaded. But you can run more than one instance of snort to use more than one thread if need be.

You should have on NIC that is IP'd, and one that does the sniffing on the span/mirror port(s). If you need more than the two that's fine, just add in another Gb nic. The faster the NIC is capable the better.

The OS does make a difference as well, Linux is able to give you access the packets in a variety of ways, PF_Ring is probably the best way to use Suricata.
http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source_4.html
-rich
1
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 39713163
A nice article on capacity planning for the ids snort.
http://mikelococo.com/2011/08/snort-capacity-planning/

Windows not really preferred. E.g. shared-object rules do not function on windows as of Snort 2.9.0.5. Also for capture traffic capability, if any individual link exceeds about 200Mbits/sec, you need employ a capture framework that features load-balancing and select a compatible interface. It can be inbuilt OS or external LBs.

Understand it may be possible to run multiple snort in multple CPU single hw but it tends to be too complex to delve further,  so Suricata fit in then. Nonetheless even Suricata has scaled up to support to 10Gbps...

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
0
 

Author Closing Comment

by:tommym121
ID: 39755964
thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now