Solved

Hardware/OS requirement for SNORT/Suricata

Posted on 2013-12-11
3
5,419 Views
Last Modified: 2016-11-23
I am planning to install a Passive network monitoring system within a firewall protected network of 10 (may grow to 20 computers eventually) with 100 mbits/sec.  What hardware do I need for SNORT or Suricata and what OS is the best suitable for them?

Is this a good choice or totally overkill?
Dell PowerEdge R620, Intel Xeon E5-2440 2.40GHz, 16GB, 2x 1TB SATA, RAID 1, Dual Port 1GBE Networking card
0
Comment
Question by:tommym121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 39713119
The NIC and CPU are the most important parts. Suricata is able to take advantage of multiple CPU's and Threads, while Snort is single threaded. But you can run more than one instance of snort to use more than one thread if need be.

You should have on NIC that is IP'd, and one that does the sniffing on the span/mirror port(s). If you need more than the two that's fine, just add in another Gb nic. The faster the NIC is capable the better.

The OS does make a difference as well, Linux is able to give you access the packets in a variety of ways, PF_Ring is probably the best way to use Suricata.
http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source_4.html
-rich
1
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 39713163
A nice article on capacity planning for the ids snort.
http://mikelococo.com/2011/08/snort-capacity-planning/

Windows not really preferred. E.g. shared-object rules do not function on windows as of Snort 2.9.0.5. Also for capture traffic capability, if any individual link exceeds about 200Mbits/sec, you need employ a capture framework that features load-balancing and select a compatible interface. It can be inbuilt OS or external LBs.

Understand it may be possible to run multiple snort in multple CPU single hw but it tends to be too complex to delve further,  so Suricata fit in then. Nonetheless even Suricata has scaled up to support to 10Gbps...

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
0
 

Author Closing Comment

by:tommym121
ID: 39755964
thanks
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question