Snort System Requirements
Before getting a system together,
you need to know a few things. One, Snort data can take up a lot of disk space,
and two, you'll need to be able to monitor the system remotely. The Snort system
we maintain is in our machine room (which is cold, and a hike downstairs).
Because we're lazy and don't want to
hike downstairs, we would like to be able to maintain it remotely and securely. For Linux and UNIX, this
means including Secure Shell (SSH) and Apache with Secure Sockets Layer (SSL).
For Windows, this would mean Terminal Services (with limitation on which users
and machines can connect, and Internet Information Servers [IIS]).
Hardware
One of the most important things
you'll need, especially if you're running Snort in Network-based Intrusion
Detection System (NIDS) mode, is a
really big hard drive. If you're storing your data as either syslog files or in
a database, you'll need a lot of space to store all the data that the Snort's
detection engine uses to check for rule violations.
Another highly recommended hardware
component for Snort is a second Ethernet interface. One of the interfaces is
necessary for typical network connectivity (SSH, Web services, and so forth),
and the other interface is for Snorting. This sensing interface that does the
"snorting" is your "Snort sensor."
Snort does not have any particular
hardware requirements that your OS doesn't already require to run. Running any
application with a faster processor usually makes the application work faster.
However, you will be limited in the amount of data you collect by your network
connection and by your hard drive.
However, you will need to have a
reasonable size network interface card (NIC) to collect the correct amount of
network packets. For example, if you are on a 100MB network, you will need a
100MB NIC to collect the correct amount of packets. Otherwise, you will miss
packets and be unable to accurately collect alerts.
In addition, you will need a good
size hard drive to store your data. If your hard drive is too small, there is a
good chance that you will be unable to write alerts to either your database or
log files. For example, our current setup for a single Snort sensor is a 9GB
partition for /var.
Operating
System
Snort was designed to be a
lightweight network intrusion system. Currently, Snort can run on x86 systems
Linux, FreeBSD, NetBSD, OpenBSD, and Windows. Other systems supported include
Sparc Solaris, PowerPC MacOS X and MkLinux, and PA-RISC HP-UX. Snort will run on
just about any modern OS today.
Oink!
People can get into religious
wars as to which OS is best, but you
have to be the one to administer the system, so you pick the OS.
There is an ongoing argument
regarding the best OS on which to run Snort. A while back, the *BSDs had the
better IP stack, but since Linux has gone to the 2.4 kernel, the IP stacks are
comparable. Our favorite is NetBSD, but your mileage might
vary.