Hardware Sizing for Security Onions Stand Alone for 2Gbps traffic
1,366 views
Skip to first unread message
Gabriele Angeli
Feb 11, 2016, 6:06:56 AM2/11/16
to security-onion
Hi everyone,
I need to size a server for SO installation in Stand Alone mode.
Someone have some suggestions about sizing.
I think that I will enable only Suricata and ELSA for a retention of 15 days.
Thanks in advance guys!!!
Bye,
Gabriele
I need to size a server for SO installation in Stand Alone mode.
Someone have some suggestions about sizing.
I think that I will enable only Suricata and ELSA for a retention of 15 days.
Thanks in advance guys!!!
Bye,
Gabriele
Doug Burks
Feb 11, 2016, 6:19:45 AM2/11/16
to securit...@googlegroups.com
Hi Gabriele,
Have you seen the Hardware page on our Wiki?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Have you seen the Hardware page on our Wiki?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Gabriele Angeli
Feb 11, 2016, 7:53:02 AM2/11/16
to security-onion
Hi Doug,
thanks for your answer.
I have seen wiki page ad I have an idea for my sizing but I need to deploy my solution in stand alone mode instead the wiki talks about sensor/master deployment.
Can you give some suggestions about my deployment?
Thanks in advance.
thanks for your answer.
I have seen wiki page ad I have an idea for my sizing but I need to deploy my solution in stand alone mode instead the wiki talks about sensor/master deployment.
Can you give some suggestions about my deployment?
Thanks in advance.
Gabriele
Doug Burks
Feb 11, 2016, 8:22:29 AM2/11/16
to securit...@googlegroups.com
Since your standalone installation includes a sensor, follow the
sensor guidance.
sensor guidance.
Gabriele Angeli
Feb 11, 2016, 10:31:45 AM2/11/16
to security-onion
Thank you Doug. I have a big doubt.
In your opinion what is the storage size for a 1 Gbps traffic (average) if I don't enable full packet capture/ELSA but I want to store only pcap traffic about Suricata signature?
Thanks in advance
In your opinion what is the storage size for a 1 Gbps traffic (average) if I don't enable full packet capture/ELSA but I want to store only pcap traffic about Suricata signature?
Thanks in advance
Bye,
Gabriele
Doug Burks
Feb 12, 2016, 1:31:19 PM2/12/16
to securit...@googlegroups.com
If you just want IDS alerts (and their included packet payload), that
requires MUCH less disk space than full packet capture. However, your
actual storage size is going to depend on your network, your traffic,
your ruleset, etc.
requires MUCH less disk space than full packet capture. However, your
actual storage size is going to depend on your network, your traffic,
your ruleset, etc.
Brian Haugli
Feb 21, 2016, 10:52:17 AM2/21/16
to security-onion
Dough, what configuration do you propose gets the pcap to disk that is only associated with the alerted signature?
Doug Burks
Feb 22, 2016, 8:59:54 AM2/22/16
to securit...@googlegroups.com
Hi Brian,
When Snort/Suricata generate an IDS alert, they include a small amount
of packet payload that is visible in Sguil/Squert.
On Sun, Feb 21, 2016 at 10:52 AM, Brian Haugli <brian....@gmail.com> wrote:
> Dough, what configuration do you propose gets the pcap to disk that is only associated with the alerted signature?
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
When Snort/Suricata generate an IDS alert, they include a small amount
of packet payload that is visible in Sguil/Squert.
On Sun, Feb 21, 2016 at 10:52 AM, Brian Haugli <brian....@gmail.com> wrote:
> Dough, what configuration do you propose gets the pcap to disk that is only associated with the alerted signature?
>
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
Chris V
Dec 9, 2016, 6:33:40 AM12/9/16
to security-onion
On Sunday, February 21, 2016 at 7:52:17 AM UTC-8, Brian Haugli wrote:
> Dough, what configuration do you propose gets the pcap to disk that is only associated with the alerted signature?
Hi Brain, so what were the hardware specs you went with? I am looking to deploy a master server VM with 3 remote sensors. Each site has around 500mb tops of bandwidth to monitor. I don't think I am going to save every pcap, but like you, only want the pcap involved with alerts.
> Dough, what configuration do you propose gets the pcap to disk that is only associated with the alerted signature?
Let me know what you went with.
Thanks!
Reply all
Reply to author
Forward
0 new messages