New IDS best practise

[Michael Maymann <michael () maymann org>]

Hi List,

we are a global multi-site organisation using switched network, firewalls
and proxies.
1. Where would be the best place(s) to put IDS(s), if we aim to have a
centralised view - e.g. can this be set-up as 1 central master (e.g.
Snorby) and site slaves (e.g. Snort) on each FW LAN ?
2. How would it best be implemented - what would be the preferred steps.
3. What could be the typical pitfalls - e.g. would traffic possibly slow
down because everything needs to go to a 100mbit port where IDS is located,
etc.

To begin with we would especially like to detect reverse ssh/corkscrew -
any ideas how to do this properly in a set-up like ours, with or without
IDS ?

Thanks in advance :-) !


~Maymann

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!