On 03/03/10 09:41, Raymond Norton wrote: > > Mr. MailingLists wrote: > >> On 03/03/10 08:10, Raymond Norton wrote: >> >>> I need to set up a box at our pop to sniff inbound and outbound traffic. >>> I want to set it up as a passive device, or connect to a monitoring port >>> on our switch, so if the box fails it does not kill our traffic. The >>> device will need to be able to monitor thousands of connections without >>> choking. I am pretty sure I would only turn it on when it seemed there >>> was suspicious traffic at one of our member schools. Any recommendations >>> of a stable solution with a nice interface?? >>> >>> Raymond >>> >>> >> YAY a fun question!!! >> > > > > I used to keep a snort box around for sniffing, but not at this scale. > Do you think it would be a good solution for my setup, as long as it > meets the hardware specs? > > > I absolutely believe so. It was designed to be a IDS for large infrastructures and as long as you match the specs, plus maybe 20% better in case of bursts (and have scalability options), I know this would be a great solution. I wish I was only so lucky to go to a school where they actively monitored intrusions, as well as possible botnet, malware, p2p activity. Well, maybe not p2p ;-), too many valid reasons not to. There are so many ways to configure SNORT, from packet header inspection, to deep scanning packet payloads, to anything in between. So, if one configuration does not seem to meet your specs, tune away! Mr. M