Running Security Onion on Atom procs

alias454alias454 Member Posts: 648
So I have been eyeballing one of these for awhile
SUPERMICRO SYS-5018A-FTN4 1U Rackmount Server Barebone FCBGA 1283 DDR3 1600/1333 - Newegg.com

I started using Security Onion at work and we implemented SO on some old ACS chassis' that were no longer going to be used. They work well enough to dip our toes in the water with but we do notice some dropped packets on the incoming interface. The ACS boxes are Core 2 Quads @ 2.4GHz(or thereabouts) and have 8 GBs of RAM in them.

I was thinking for the current application we are using these for, maybe I can get away with these 8 core Atoms and 32GBs of RAM running on SSDs. Has anyone on here played with running SO on this kind of hardware?

This is the one I am looking at for home use http://www.newegg.com/Product/Product.aspx?Item=N82E16816101874
“I do not seek answers, but rather to understand the question.”

Comments

  • Matt2Matt2 Member Posts: 97 ■■□□□□□□□□
    You should ask on the Security onion distribution list. I personally think an Atom proc might be a bit too low end.

    https://groups.google.com/forum/#!forum/security-onion
  • alias454alias454 Member Posts: 648
    Thanks, I did end up posting to the SO group.
    “I do not seek answers, but rather to understand the question.”
  • ErtazErtaz Member Posts: 934 ■■■■■□□□□□
    Ugh. Why do you people do this to me. I just got comfortable with PFSense and now there is this that looks like fun. Not enough hours in the day.
  • chrisonechrisone Senior Member Member Posts: 2,217 ■■■■■■■■■□
    I am currently studying and working on SO in a standalone VM just to practice on. It's a very awesome security distro. Check out this book

    https://www.amazon.com/gp/aw/d/1593275099/ref=mp_s_a_1_1?ie=UTF8&qid=1478040922&sr=8-1&pi=SY200_QL40&keywords=security+onion&dpPl=1&dpID=518TRuafy3L&ref=plSrch

    there are also online pre-recorded courses at
    https://attendee.gototraining.com/9z73w/catalog/7107228144670791168?tz=America/Los_Angeles

    definitely something you want to master, as many companies are dishing out hundreds of thousands of dollars for major brands offering.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    EnCase Courses: DF120 (in progress), DF210, DF310
    Certs: AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User (obtained), Splunk Enterprise Sys Admin
  • alias454alias454 Member Posts: 648
    Thanks, I already got that one and a different one
    https://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083/ref=pd_sbs_14_t_2?ie=UTF8&psc=1&refRID=DFW7FPJY57GHFPB21GW0

    Those video courses look like they might be interesting. Security Onion is very easy to get stood up and I am learning how much of what is there is redundant within my environment. I am still getting my feet wet with what info is available to me but at some point I will most likely disable the elsa stuff since we have a pretty robust logging stack already.That is another part of my hardware selection. I am looking to get as close to a no frills setup of suricatta and bro as possible.
    “I do not seek answers, but rather to understand the question.”
  • chrisonechrisone Senior Member Member Posts: 2,217 ■■■■■■■■■□
    Nice! I saw that book as well. I will pick it up in January once I am done with the Network Security Monitoring book. Whats your take on Suricatta vs Snort?

    Once I go through these two books and some of S.O. video courses I am going to roll S.O. out in our environment in the master/remote configuration. I am just using standalone in a VM just for studying purposes. Do you have any material based on Suricatta or Bro?
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    EnCase Courses: DF120 (in progress), DF210, DF310
    Certs: AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User (obtained), Splunk Enterprise Sys Admin
  • alias454alias454 Member Posts: 648
    Of course, I am no expert so I am going to do a bake off. The thing that draws me to Suricatta a little more is the default multi-core support. I have read about performance between the two but a lot of that information was from several versions ago(I'm sure it wasn't up to date) so I will have to see for myself. Once I get a better handle on what I am doing, I plan on running Suricatta for a month or so then run Snort for a month or so and then see if I notice any more/less dropped packets, worse performance etc. When I was first playing around with SO at home, I notice Snort seemed to take more resources but don't take that to the bank as it was very very unscientific as observations go.

    I currently have a two sensor setup with a single management server. Since the initial hardware I dug up was a little lackluster, I disabled pcaps and file captures at this time until I can whittle down the number of alerts we are seeing. I setup the management server on a VM so it has adequate resources. I disabled X from starting on the sensors and learned a little about CLI deployment and control as it pertains to SO. It is going to be a bit of a journey but sure beats doing paperwork.

    As far as BRO goes, I spent some time perusing the youtubes and came across a lot of videos from a guy named Liam Randall. He seems to have plenty of informative talks on BRO https://www.youtube.com/results?search_query=Liam+Randall+hectaman. I haven't spent as much time on Suricatta specifics but figure rule writing and tuning can be accomplished by reading up on Snort rulesets and the like.

    I have a long way to go in learning about what works and what doesn't but it should be interesting if nothing else.
    “I do not seek answers, but rather to understand the question.”
Sign In or Register to comment.