Snort System Requirements

Before getting a system together, you need to know a few things. First, Snort data can take up a lot of disk space, and second, you may need to be able to monitor the system remotely. For Linux and UNIX, this means including Secure Shell (SSH) and Apache with Secure Sockets Layer (SSL). For Windows, this would mean Terminal Services (with limitation on which users and machines can connect, and Internet Information Servers [IIS]).

Hardware

One of the most important things you'll need, especially if you're running Snort in Network-based Intrusion Detection System (NIDS) mode, is a really big hard drive. If you're storing the data as either syslog files or in a database, you'll need a lot of space to store all the data that the Snort's detection engine uses to check for rule violations.

Another highly recommended hardware component for Snort is a second Ethernet interface. One of the interfaces is necessary for typical network connectivity (SSH, Web services, and so forth), and the other interface is for Snorting. This sensing interface that does the "snorting" is your "Snort sensor."

Snort does not have any particular hardware requirements that your OS doesn't already require to run. Running any application with a faster processor usually makes the application work faster. However, you will be limited in the amount of data you collect by your network connection and by your hard drive.

To run Snort, you will need to have a reasonable-sized network interface card (NIC) to collect the correct amount of network packets. For example, if you are on a 100MB network, you will need a 100MB NIC to collect the correct amount of packets. Otherwise, you will miss packets and be unable to accurately collect alerts.

In addition, you will need a good-sized hard drive to store your data. If your hard drive is too small, there is a good chance that you will be unable to write alerts to either your database or log files. A good setup for a single Snort sensor may be a 9GB partition for /var.

Operating System

As stated earlier, Snort was designed to be a lightweight NIS. Currently, Snort can run on x86 systems Linux, FreeBSD, NetBSD, OpenBSD, and Windows. Other supported systems include Sparc Solaris, PowerPC MacOS X and MkLinux, and PA-RISC HP-UX. Snort will run on just about any modern OS today.

There is an ongoing argument regarding the best OS on which to run Snort. A while back, the *BSDs had the better IP stack, but since Linux has gone to the 2.4 kernel, the IP stacks are comparable. Our favorite is NetBSD, but your mileage might vary.

Other Software

Once you have the basic OS installed, you're ready to go. Make sure that you have the following prerequisites before you install Snort:

• autoconf and automake*

• gcc*

• lex and yacc (or the GNU implementations flex and bison, respectively)

• The latest libcap from tcpdump.org

  Note

  Thepackage in this section are only necessary if you are compiling Snort using source code. If you are using Linux RPMs or Debian packages, you do not need these.

Optional software that you can install includes:

• MySQL, Postgres, or Oracle (SQL databases)

• smbclient if using WinPopup messages

• Apache or another Web server

• PHP or Perl, if you have plug-ins that require them

• SSH for remote access (or Terminal Server with Windows)

• Apache with SSL capabilities for monitoring (or IIS for Windows)