Snort mailing list archives
Re: Best Enterprise Snort Configuration
From: Bennett Todd <bet () rahul net>
Date: Fri, 14 Feb 2003 12:40:16 -0500
2003-02-14T10:52:28 Kreimendahl, Chad J:
What brings on the need for 60-70 sensors?
I can't speak for the original questioner, but in my case it is simply a proliferation of interfaces we want to watch, most of them distinctly geographically separated, combined with a preference for using the cheapest possible 1U sensors and not having to sweat tuning them for performance.
There may be many better ways to consolidate several links into one (monitoring a DMZ or VLAN for example)...
In some cases, where we have both modest bandwidth and physical proximity, we're doing just that; since we're snorting on Red Hat 7.3, we can just use the bonding driver (/usr/src/linux/Documentation/networking/bonding.txt, ifenslave is the command to enable it) to consolidate traffic. But if longer-distance backhauls or higher-bandwidth-capable platforms would be required, we just roll out separate sensors. In a world-wide enterprise, this happens a lot.
Depending on how much money you want to spend (hardware/software), you may consider people like sourcefire or demarc. If you have inhouse developers, you may even consider using them to develop a tool.
I developed enterprise configuration management components for this; the config is completely packaged, including the tuned sigs, and an automatic package updater allows for convenient maintenance.
I would recommend Oracle if you're going to plan on having more than a few hundred thousand records in the DB.
Another approach is to consolidate using syslog. With sensors placed inside the perimeter (so attacks that are turned away aren't seen at all), and tuned to eliminate false positives, the alert volumes are modest, and syslog aggregates quite conveniently.
I would recommend dual 1.4+GHz box for doing 2 gigE or quad ethernet.
2 or more gigE can make sense if interface constraints require it (e.g. if bonding together the outputs from a tap), but a single box can't handle more than 50Mbps without tuning, 200-300Mbps with tuning, possibly approaching 500-600Mbps with the best tuned software and PCIx busses. -Bennett
Attachment:
_bin
Description:
Current thread:
- RE: Best Enterprise Snort Configuration McPheeters, Scott (Feb 12)
- <Possible follow-ups>
- RE: Best Enterprise Snort Configuration Hutchinson, Andrew (Feb 12)
- RE: Best Enterprise Snort Configuration Kreimendahl, Chad J (Feb 14)
- Re: Best Enterprise Snort Configuration Bennett Todd (Feb 14)