[Soekris] IDS on a 4801?
Tenzen
toddenzen+1 at gmail.com
Wed Apr 25 01:40:28 UTC 2007
I've a Net4801 w/ FreeBSD 6.2 running pf w/ altq & carp, spamd, rbldnsd & bind9.
Performing nicely, so far.
I'm interested in adding active IDS to the mix, along the lines of
Snort + SnortSam, hoping to integrate with pf etc.
What's been the experience on list with Snort's performance on this
sort of setup? Snort *can* be a bit of a resource 'pig' (couldn't
resist ...)
There are lightweight -- and light in function -- alternatives, e.g.,
http://danger.rulez.sk/projects/bruteforceblocker/
http://pfsense.best-view.net/packages/config/pfPorts/sshlockout_pf/files/sshlockout_pf.c
that seem to be ssh-port-specific, but could be readily adapted.
Just wondering whether Snort is too heavy, or whether I should adopt a
lightweight, perlcc-compiled (e.g.) alternative ...
Yes, I know it's subjective ... hence looking for some subjective opinions.
Thanks.
--Tenzen
More information about the Soekris-tech
mailing list