Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Hardware/OS requirement for SNORT/Suricata

Posted on 2013-12-11
3
Medium Priority
?
6,430 Views
Last Modified: 2016-11-23
I am planning to install a Passive network monitoring system within a firewall protected network of 10 (may grow to 20 computers eventually) with 100 mbits/sec.  What hardware do I need for SNORT or Suricata and what OS is the best suitable for them?

Is this a good choice or totally overkill?
Dell PowerEdge R620, Intel Xeon E5-2440 2.40GHz, 16GB, 2x 1TB SATA, RAID 1, Dual Port 1GBE Networking card
0
Comment
Question by:tommym121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 39713119
The NIC and CPU are the most important parts. Suricata is able to take advantage of multiple CPU's and Threads, while Snort is single threaded. But you can run more than one instance of snort to use more than one thread if need be.

You should have on NIC that is IP'd, and one that does the sniffing on the span/mirror port(s). If you need more than the two that's fine, just add in another Gb nic. The faster the NIC is capable the better.

The OS does make a difference as well, Linux is able to give you access the packets in a variety of ways, PF_Ring is probably the best way to use Suricata.
http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source_4.html
-rich
1
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 39713163
A nice article on capacity planning for the ids snort.
http://mikelococo.com/2011/08/snort-capacity-planning/

Windows not really preferred. E.g. shared-object rules do not function on windows as of Snort 2.9.0.5. Also for capture traffic capability, if any individual link exceeds about 200Mbits/sec, you need employ a capture framework that features load-balancing and select a compatible interface. It can be inbuilt OS or external LBs.

Understand it may be possible to run multiple snort in multple CPU single hw but it tends to be too complex to delve further,  so Suricata fit in then. Nonetheless even Suricata has scaled up to support to 10Gbps...

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
0
 

Author Closing Comment

by:tommym121
ID: 39755964
thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question