This was discussed heavily a couple of months ago. Search the forums for "snort". I ended up hacking one in myself. It monitored the external interface and wrote alerts via the internal interface to a MySQL database on an internal machine running MySQL, IIS, and ACID. A PII-400 w/~700 signatures could handle all the traffic my 1.5Mb DSL could give it. I'm thnking about trying Snort-Inline as an IPS for specific traffic. Right now I've got snort-inline running on a Linux bridge between my ASL machine and my border router. Bridging with iptables in Linux is a pain since you need to recompile the Kernel with the bridge-netfilter patch. I'd have to see if ASL comes with the ip_queue module first. Mostly theory now.
This was discussed heavily a couple of months ago. Search the forums for "snort". I ended up hacking one in myself. It monitored the external interface and wrote alerts via the internal interface to a MySQL database on an internal machine running MySQL, IIS, and ACID. A PII-400 w/~700 signatures could handle all the traffic my 1.5Mb DSL could give it. I'm thnking about trying Snort-Inline as an IPS for specific traffic. Right now I've got snort-inline running on a Linux bridge between my ASL machine and my border router. Bridging with iptables in Linux is a pain since you need to recompile the Kernel with the bridge-netfilter patch. I'd have to see if ASL comes with the ip_queue module first. Mostly theory now.
