Problem solve Get help with specific problems with your technologies, process and projects.

Finding an OS for Snort IDS sensors

JP Vossen offers his advice on choosing an OS for Snort sensors.

After deciding to implement Snort and determining IDS sensor placement, you must decide what operating system (OS) to use for the network sensors. The answer is surprisingly simple.

Flame wars regarding relative OS performance, stability and security problems can and do erupt at the drop of a hat. With this in mind, the bottom line for determining what OS to use with a critical security device is "go with what you know." You will be much better at properly configuring, hardening, administering and troubleshooting an OS you already know. You will also be better able to spec hardware and performance, and presumably other people in your organization will be able to back you up when needed. If you and your organization are equally comfortable with multiple OSes then do some internal testing, or just pick whatever OS runs best with the hardware and IDS sensors that you plan to use.

More on this topic

Having said that, Snort IDS is developed and tested on Linux and Mac OS X, and is heavily tested by the Linux and BSD communities. These platforms are always supported first, and the developers are very familiar with them. With Snort on a well-tuned Linux or BSD platform you can get acceptable performance out of older, slower or cheaper hardware than some other OSes might require.

In the end, learning new technologies is something we should all do to keep current, but devices intended to protect your network are not a good place to experiment.


  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports after intrusion detection
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort sensors
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort


JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)