[EMAIL PROTECTED] wrote:
What I'd like to do it:
Internet -> cable modem -> m0n0wall -> repeater -> home server | |------> 2nd card on home server running snort
First, what are you wanting to monitor? Just things that get through your firewall? Do you have some ports being forwarded through the firewall? You might consider putting a hub outside your firewall and putting the second port of your home server in there (with no IP, of course). Now, you'll need to keep snort up to date to make sure there's no security holes that might compromise it, but I think you know that.
At the moment my home "server" is a P-II doing essentially disk sharing and acting as a printer server and syslog server for m0n0wall. Would running snort crush my meager processor?
Well, that depends on your traffic. I've run a 533 MHz Via C3 CPU system running a tuned snort/libpcap/kernel that could handle around 30 Mbps (sustained). Given the cable modem, you're looking at around 1.5Mbps, but probably not sustained. So, snort won't be an issue. However, what about your front end for snort? Are you going to log to a database? That's where the load starts adding up.
In the end, just try it and see.
Mike -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
