[Dshield] WINSNORT

Jim McCullough jim.mccullough at gmail.com
Sat Feb 25 16:55:58 GMT 2006


Depending on your traffic flow,  you might want to look at putting a
second box up to handle the SQL server and web interface side.  That
could definately improve performance depending on what your going to
have Snort doing.  I'm thinking a Knoppix live cd needs to be rebuilt
now...  that and a few more off the wall projects I guess.

On 2/24/06, DigitalNation <dshield at digitalnation.ca> wrote:
> Got it.
>
> So we put a BSD box as the gateway and run the IDS on it and the MS boxes
> behind it. I was heading in that direction anyhow. Thanks everyone for the
> comments. I certainly *do not* want to start a *nix VS MS conversation :)
>
> Have a safe & secure weekend.
>
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>
>
>
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Chris Wright
> Sent: Friday, February 24, 2006 3:50 PM
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] WINSNORT
>
>
> He (Joel) never said it shouldn't be run on windows and made a point of
> stating that. What he said was, windows isnt' the best choice platform if
> you are going to be running it on a high traffic network. It is probably ok
> for me to install winsnort on my spare windows box (I don't really have
> one), connected to my 1meg ADSL line, but not something I would really want
> to have snorting my Gigabit ports/networks on my work systems. As he states
> the system overhead of the Wins boxes pretty much ties it to 100M or less,
> or the windows boxes simply wouldn't keep up.
>
> And I suppose officially, there is nothing wrong with getting the worlds
> biggest PC with the fastest processor(s), loads of RAM, loads of the fastest
> drives etc etc, and you would still get a better performance running it on a
> *nix box with a 386 and 640k of base memory (ok, slight exageration, but you
> get my point).
>
> Just like you wouldn't want a Windows box doing Real Time Data Acquisition,
> or some other time critical operations, to do a proper job, you need a
> proper OS, built for the purpose.  Windows just ain't it. (And I run more
> windows boxes than *nix boxes so I am definetly NOT anti-MS. I am just
> careful about what I run on them).
>
>
> My $0.02
>
> Regards
>
> Chris
>
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org] On Behalf Of DigitalNation
> > Sent: 24 February 2006 21:45
> > To: 'General DShield Discussion List'
> > Subject: Re: [Dshield] WINSNORT
> >
> > Thanks.
> >
> > So if SNORT shouldn't be run on Windowes why do you offer a version?
> >
> > Jusy curious.
> >
> > Great info though.
> >
> > ------------------
> > M. McBride
> > Security Admin
> > DigitalNation
> > Vancouver, Canada
> >
> > .
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org]
> > On Behalf Of JE
> > Sent: Friday, February 24, 2006 1:11 PM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] WINSNORT
> >
> >
> > K..  Time for me to say something about it ;)
> >
> > Intro -- For those that aren't aware... which.. on this
> > list..  is few My name is Joel Esler, I work for Sourcefire,
> > makers of Snort. </intro>
> >
> > IMHO, an IDS should never be run on Windows.  (not just
> > because of it's vulnerabilities, but because Window's kernel
> > can't keep up)
> >
> > In our testing, the Linux and BSD Kernels are much faster at doing
> > all the various analyzation that we force Snort to do on traffic.
> > You shouldn't have a problem at low speeds, but I wouldn't
> > run Snort on a Windows box on anything more than say... 100
> > Mg a second.  (That is not an official Sourcefire statement,
> > just my opinion)
> >
> > winsnort.com compiles their own version of Snort.  Now, I'm
> > not aware if we have done a comparison between "theirs" and
> > "ours", but we also compile a version of Snort that runs on
> > Windows.  (see www.snort.org/dl)
> >
> > If you are considering going with any kind of Sourcefire
> > solution, RNA..IS.. what have you.  I would go all the way
> > with it.  You'll get a better deal, plus you'll have the full
> > backing of VRT, Support, and the rest of the Sourcefire team.
> >
> > Joel
> >
> > On Feb 24, 2006, at 1:53 PM, DigitalNation wrote:
> >
> > > Thanks Sue!
> > >
> > > By necessity we run some WIN32 boxes and need to have some form of
> > > packet capture and analysis. This looks pretty stable from
> > what I have
> > > heard.
> > >
> > > Again, many thanks for your comment.
> > >
> > > ------------------
> > > M. McBride
> > > Security Admin
> > > DigitalNation
> > > Vancouver, Canada
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: list-bounces at lists.dshield.org [mailto:list-
> > > bounces at lists.dshield.org] On Behalf Of Sue Young
> > > Sent: Thursday, February 23, 2006 11:18 AM
> > > To: General DShield Discussion List
> > > Subject: Re: [Dshield] WINSNORT
> > >
> > >
> > > I run it successfully.  I run it as a service and use Base
> > as a front
> > > end.
> > > I'm seriously considering going with the professional RNA
> > console but
> > > running the free one is great for getting used to managing an IDS
> > > system.
> > >
> > > Sue Young
> > >
> > >
> > > -----Original Message-----
> > > From: list-bounces at lists.dshield.org [mailto:list-
> > > bounces at lists.dshield.org] On Behalf Of DigitalNation
> > > Sent: Tuesday, February 21, 2006 3:29 PM
> > > To: 'General DShield Discussion List'
> > > Subject: [Dshield] WINSNORT
> > >
> > > Here's a question from a somewhat new-to-this member.
> > >
> > > Is WINSNORT a stable IDS for WIN32? (http://www.winsnort.com)
> > >
> > > Can you install it on an existing server? (the install instructions
> > > say to install on new OS). I assume that would be for a gateway IDS
> > > system. Will it work on a standalone box?
> > >
> > > Any info or experiences with this would be much appreciated.
> > >
> > > ------------------
> > > M. McBride
> > > Security Admin
> > > DigitalNation
> > > Vancouver, Canada
> > >
> > > _________________________________________
> > > Learn about Intrusion Detection in Depth from the comfort
> > of your own
> > > couch:
> > > https://www.sans.org/athome/details.php?id=1341&d=1
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org To change your
> > subscription
> > > options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > > Statement of Confidentiality
> > >
> > > The contents of this e-mail message and its attachments are
> > intended
> > > solely
> > > for the addressee(s) hereof.   In addition, this e-mail
> > > transmission may be
> > > confidential and it may be subject to privilege protecting
> > > communications between attorneys or solicitors and their
> > clients.  If
> > > you are not the named addressee, or if this message has
> > been addressed
> > > to you in error, you are directed not to read, disclose, reproduce,
> > > distribute, disseminate or otherwise use this transmission.
> >  Delivery
> > > of this message to any person other than the intended
> > recipient(s) is
> > > not intended in any way to waive privilege or
> > confidentiality.  If you
> > > have received this transmission in error, please alert the
> > sender by
> > > reply e-mail; we also request that you
> > > immediately delete this message and its attachments, if any.
> > > Grosvenor
> > > Capital Management, L.P. and its related entities reserve
> > the right to
> > > monitor all e-mail communications through their networks.
> > >
> > >
> > >
> > > _________________________________________
> > > Learn about Intrusion Detection in Depth from the comfort
> > of your own
> > > couch:
> > > https://www.sans.org/athome/details.php?id=1341&d=1
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org To change your
> > subscription
> > > options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > >
> > > _________________________________________
> > > Learn about Intrusion Detection in Depth from the comfort
> > of your own
> > > couch:
> > > https://www.sans.org/athome/details.php?id=1341&d=1
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org To change your
> > subscription
> > > options (or unsubscribe), see: http://
> > > www.dshield.org/mailman/listinfo/list
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort of
> > your own couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your
> > subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort of
> > your own couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your
> > subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>


--
Jim McCullough
MS WindowsXP - the lazy man's way to frustration, anger, and total
psychological breakdown.



More information about the list mailing list