Snort mailing list archives
Re: Deploying snort - Feedback reqd
From: Chuck Morford <cmorford () dot state nc us>
Date: Wed, 10 Oct 2001 07:58:40 -0400
Hi, First, I'm running Snort on Win2k,with no DB... I'm snorting about 15 subnets with 1 sensor on a mirrored port on my switch. (Which my network guys handle, don't ask me any switch config questions...) I have a couple of schedeled jobs that shuffle the log every 30 minutes and archive every 6 hours. The shuffled log is emailed to me by the shuffling process, with a command line launched sendmail... I have generated, long-term average, about 50 megs of files every 24 hours...Until recently, when I decided to PASS all the $HOME_NET -> $HOME_NET ICMP traffic...Now my logs are down to about 15 megs in 24 hours... Chuck Morford Hostmaster, NC Dept. of Transportation Shane Machon wrote:
Greetings, I am fairly new to snort, after running it up on some development servers I see its massive potential for our network servers. Im looking for feedback or case studies from people who have this sort of scenario: Ive got 6 sensors that I want to run snort on, and report to a central system (either db or syslogd). I just have some simple questions would like some feedback on. 1. Im guessing (very roughly) I would get aproximately 100+ alerts per remote server per day (This is almost impossible to guess as snort is not running on these machines yet). How much traffic would this generate on the remote computer? (Traffic comes at a cost ;) Are we just talking kilobytes of data or potentially megabytes of data? Is there some sort of calculation that I could use to work this out based on the approximation above (average bytes sent to a db for each attack)? 2. What is the best way of analysing the data? Would ACID be the best solution (based on there only being 1 Sysadmin to maintain all these servers)? Or has anyone run an email type solution that uses syslog and other programs (like logcheck perhaps) to send the sysadmin messages when the alert file is updated? I hope many others have been in this situation, and I hope that these people can provide me with their success stories on deploying snort. Cheers, SHANE MACHON Network Administrator Technical Project Manager Two Purple Plums Pty Ltd. TPP Internet Development (NetNames Australasia) PO Box 334, Manly NSW, 1655, Australia Tel. +61 2 9970 5242 Fax. +61 2 9970 8262 Eml. shane () twoplums com au ========================================== TPP Internet Development (NetNames Australasia) The International Domain Name Registry Registering Domain Names in over 200 countries http://www.netnames.com.au http://www.internetdevelopment.com.au http://www.twoplums.com.au ========================================== _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
cmorford.vcf
Description: Card for Chuck Morford
Current thread:
- Deploying snort - Feedback reqd Shane Machon (Oct 09)
- Re: Deploying snort - Feedback reqd Chuck Morford (Oct 10)
- <Possible follow-ups>
- RE: Deploying snort - Feedback reqd Fraser Hugh (Oct 10)