snort hardware feedback

A

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
644
Hello HF'ers,

Can't seem to find hardware requirements for Snort on the website. I am trying to built a Snort box for a home network. Approx 6 network devices and 3 users. I was planning on using this:

  • superMicro X7SPA-HF-D525
  • Western Digital Scorpio Black wd5000bpkt 500GB 7200 RPM 16MB Cache 2.5" SATA 3.0Gb/s Internal Notebook Hard Drive
  • superMicro CSE-502L-200B Black 1U Rackmount Mini Server Chassis
  • G.SKILL 4GB (2 x 2GB) 204-Pin DDR3 SO-DIMM DDR3 1333 (PC3 10600) Laptop Memory Model F3-10600CL9D-4GBSQ


I'm not 100% on the memory as I couldn't find DDR3 in 800MHZ on newegg

What you guy think about this? I wanted to get a decent hardware set in case my network grows in the future.

Also, any suggestions on what OS to install SNORT on? This is my first attempt at a SNORT install.

Thanks all.
 
Yeah Snort can pretty much run on fairly old hardware. Requirements to run it are small so I say what you have specd out is more than enough to run Snort.

ClearOS is very easy to use and can be admin'd via WebGUI. It's based on CentOS Linux if I recall that correctly and is really easy to setup snort on, as it is a simple check box to install type scenario. Give that a go a first and see how you like it. The WebGUI will give you stats and etc. You will want to setup ClearOS in stand alone server mode instead of gateway mode (can act a full fledged firewall) if all you want to do is run Snort. Check it out.

EDIT: With the specs you have with that hardware you could also install a bunch of other services on ClearOS too such as a network web proxy with squid, content filtering, FTP, web, email and several other services too and is dead easy to install and admin. Just an FYI.
 
Hardware is more than plenty for Snort on a home network. For snort, the power you need is based on what else is running on the box (other firewall services), amount of traffic..and the big one...what rules of snort you load. It likes RAM, 4 gigs will be great.

There's a nice Snort add-on package for PFSense.
Check out this article..and follow links to related ones
http://www.smallnetbuilder.com/secu...ld-your-own-ids-firewall-with-pfsense?start=2
 
YeOldeStonecat said:
Hardware is more than plenty for Snort on a home network. For snort, the power you need is based on what else is running on the box (other firewall services), amount of traffic..and the big one...what rules of snort you load. It likes RAM, 4 gigs will be great.

There's a nice Snort add-on package for PFSense.
Check out this article..and follow links to related ones
http://www.smallnetbuilder.com/secu...ld-your-own-ids-firewall-with-pfsense?start=2
Click to expand...

Very cool Stonecat. Couple questions:
  1. Would running both an IDS and pfSense on same box be a single point of failure? If enough traffic can be generated couldn't the IDS create a DOS type of situation crashing and/or leave the firewall open?
  2. Does the pfSense Snort add-on monitor external of internal traffic?

I love the knowledgeable mofos on this forum.:D
 
Regarding single point of failure...say you build a box just to do IDS, and another to be your router. If the router dies..there's your single point of failure..."no internet".

I wouldn't worry about that, use good hardware and you're all set.
You can do wan 'n lan, (see screenshot in that link above..he discusses it a bit) I just have mine on the WAN. I'm not worried about the inside, just the front door.
 
YeOldeStonecat said:
Regarding single point of failure...say you build a box just to do IDS, and another to be your router. If the router dies..there's your single point of failure..."no internet".
Click to expand...

True, but I don't care if my router dies. Then no one can get in. If the IDS gets compromised, that could possible cause pfsense to fail creating a hole into my network. However, I want to try this. It will save me from buying another SuperMicro board and about $300. Will the above hardware set will run both pfSense and Snort? I know Snort can be pretty memory intensive.


YeOldeStonecat said:
You can do wan 'n lan, (see screenshot in that link above..he discusses it a bit) I just have mine on the WAN. I'm not worried about the inside, just the front door.
Click to expand...

They can knock on my door all day long. It's a problem when you open the door and step into my house. Then we got problems.

Is this what you are referring to? I want to make sure I can set to only monitor LAN:

Picture3-1.png
 
Last edited:
1. Can you utilize the full SNORT ruleset on pfSense or is it limited to a smaller ruleset?
2. If pfSense allows full ruleset, would the above hardware be able to handle the full ruleset?

I have an older superMicro box:
  • 2x G.SKILL 2GB 200-Pin DDR2 SO-DIMM DDR2 667 (PC2 5300) = 4GB RAM
  • SUPERMICRO MBD-X7SPA-HF-O Mini ITX Intel Atom D510 processor Server Motherboard

3. Would this older box run pfSense with the full SNORT ruleset?
 
You must log in or register to reply here.
Back
Top