• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Building an IDS system

H

halve

Member
As the title states I am going to build a IDS system to monitor all traffic going out of our pix and coming back in. I plan to use FreeBSD for the OS and Snort for the IDS. I want to go with a 64bit processor from AMD and the case needs to be a rackmounted case that will fit in a Dell Rack. I do not need redundancy like dual power supplies or raid or some such. What I do need is some info on what Board would be a good fit for a 64bit processor, should I go AMD64 or Opteron? What type of Hard Drives would you use, maybe 2 SCSI drives, one for the OS and Snort and the other for MYSql? Any help would be very much appreciated, thanks so much everyone.

Halve
 
How much traffic will this machine be sniffing? That would go a long way in determining hos much disk space and CPU you would need.
 
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
 
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
 
The network supports around 1000 nodes. I cant remember how many packets go through that area at the moment, but I can run a quick collection and let you guys know.

Halve
 
Originally posted by: n0cmonkey
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
Click to expand...
I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin
 
Originally posted by: thorin
Originally posted by: n0cmonkey
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
Click to expand...
I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin
Click to expand...


Well it's not like AMD makes any other server-class chips. 😉
 
Originally posted by: thorin
Originally posted by: n0cmonkey
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
Click to expand...
I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin
Click to expand...

My only question would be how well FreeBSD supports AMD64 platform.
 
Originally posted by: Sideswipe001
Originally posted by: thorin
Originally posted by: n0cmonkey
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
Click to expand...
I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin
Click to expand...


Well it's not like AMD makes any other server-class chips. 😉
Click to expand...
:Q How dare you say that. You=:evil: :frown::disgust::disgust:🙁😉
 
I agree on SCSI or even 2x SATA (WD Raptors), especially good when you need to run reports.

We had an IDS setup here that included 3 sensors (2x processor/SCSI) and 1 console (basic P3 desktop). The IDS system ran ISS.com's IDS software and Win2K as the OS.

 
Originally posted by: mamisano
I agree on SCSI or even 2x SATA (WD Raptors), especially good when you need to run reports.

We had an IDS setup here that included 3 sensors (2x processor/SCSI) and 1 console (basic P3 desktop). The IDS system ran ISS.com's IDS software and Win2K as the OS.
Click to expand...

ISS requires beefier hardware than some other IDSes. Also, they recommend not putting the log monitoring software on the sensor (and that will be a question they ask if you call for support). One of the reasons is speed. The log monitoring software will eat up resources like no other.
 
Originally posted by: Sideswipe001
Originally posted by: thorin
Originally posted by: n0cmonkey
Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.
Click to expand...

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).
Click to expand...
I agree he needs a fast CPU but I don't see the need for a 64bit CPU.
Click to expand...
Well it's not like AMD makes any other server-class chips. 😉
Click to expand...
That's some excellent work you're doing keepin the guys @ AMD employed buyin their procs "just because".

Thorin
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top