Home > Geeky stuff, Security > Snort IDS

Snort IDS

May 22, 2007 Leave a comment Go to comments

I am redoing the IDS system at work.  The current IDS uses snort and BASE.  Base just isn’t able to keep up under the current load.  We got a new quad core server with 4 gigs of ram that should do nicely for base.  I also decided to redo the sensors at the same time.  They were both running FreeBSD and I wanted to go to CentOS 5 because I am much more familiar with it than FreeBSD.  I installed CentOS 5 and did a test run with tcpdump.   It just can’t keep up the kernel is dropping packets even when loging just the raw packets to a file.  The traffic isn’t huge its about 3000 packets per second (around 32 Mbps).  Even after tunning some kernel parameters and some network parameters it was still dropping packets.

From what I have read the FreeBSD network stack is a lot better at this type of thing.  I am testing another FreeBSD box to see if it can keep up without dropping packets.  If it can keep up then I am going to use freeBSD for the sensors and stick with CentOS for the BASE front end.

UPDATE:  FreeBSD took it like a champ 0 dropped packets, so it looks like its FreeBSD for snort

Categories: Geeky stuff, Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: