?
Solved

Hardware/OS requirement for SNORT/Suricata

Posted on 2013-12-11
3
Medium Priority
?
6,035 Views
Last Modified: 2016-11-23
I am planning to install a Passive network monitoring system within a firewall protected network of 10 (may grow to 20 computers eventually) with 100 mbits/sec.  What hardware do I need for SNORT or Suricata and what OS is the best suitable for them?

Is this a good choice or totally overkill?
Dell PowerEdge R620, Intel Xeon E5-2440 2.40GHz, 16GB, 2x 1TB SATA, RAID 1, Dual Port 1GBE Networking card
0
Comment
Question by:tommym121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 39713119
The NIC and CPU are the most important parts. Suricata is able to take advantage of multiple CPU's and Threads, while Snort is single threaded. But you can run more than one instance of snort to use more than one thread if need be.

You should have on NIC that is IP'd, and one that does the sniffing on the span/mirror port(s). If you need more than the two that's fine, just add in another Gb nic. The faster the NIC is capable the better.

The OS does make a difference as well, Linux is able to give you access the packets in a variety of ways, PF_Ring is probably the best way to use Suricata.
http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source_4.html
-rich
1
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 39713163
A nice article on capacity planning for the ids snort.
http://mikelococo.com/2011/08/snort-capacity-planning/

Windows not really preferred. E.g. shared-object rules do not function on windows as of Snort 2.9.0.5. Also for capture traffic capability, if any individual link exceeds about 200Mbits/sec, you need employ a capture framework that features load-balancing and select a compatible interface. It can be inbuilt OS or external LBs.

Understand it may be possible to run multiple snort in multple CPU single hw but it tends to be too complex to delve further,  so Suricata fit in then. Nonetheless even Suricata has scaled up to support to 10Gbps...

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
0
 

Author Closing Comment

by:tommym121
ID: 39755964
thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question