Snort mailing list archives
Re: New snort install question
From: "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu>
Date: Mon, 21 May 2012 21:19:34 +0000
Jason, thank you for your response.
What are the uplinks?
The uplinks are 1Gb. The idea would be to span a port on the switch and let the snort box passively analyze that traffic with a separate link on the snort box for management and reporting. We are thinking that this would be the easiest way to sniff our traffic yet keep the box out of band. That way even if it does get bogged down it won't introduce latency into the network.
... do they have high-end CPUs...
Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 Gb NIC. Does that sound sufficient for real time monitoring? We are not interested in historical reporting right now as we are planning on sending the events to a syslog server and our NAC.
... what are you trying to achieve...
We are indeed trying to protect our LAN from internal threats. We have a well-protected internet facing edge but as a university we have a few thousand non-university owned assets that access our network every day. Once these devices are on my network they have bypassed my armored edge and are able to poke away at my soft belly ... I don't like that.
... what is your budget...
: ) effectively $0.00
Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's >just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs)
That's why we are thinking of taking a cautious approach and not enabling bunch of rules to start with. We would only enable rules that we are comfortable with and would pilot them on a subset of our population first ... this is of course in a perfect world. The main reason that we are looking into this is because we are effectively an ISP for our users and while our internet facing edge is protected our internal network is largely way too trusting. Since we have adopted a BYOD stance we have to regard our internal network as having the same hostility as the internet, simply because the same devices that are out there are being brought in here... and it's a scary, scary world out there! I would greatly appreciate any suggestions and or feedback any users have. Thank you. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU -----Original Message----- From: Jason Haar [mailto:Jason_Haar () trimble com] Sent: Monday, May 21, 2012 3:34 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] New snort install question On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:
We have 50+ buildings on campus and the idea is to place a single
snort box in each building and have it sniff the uplink traffic, then
report back to our NAC system (Packetfence). The goal was to be able
to use some of our older desktops (Dell 960s) as kind of snort nodes
with no keyboard, mouse or monitor.
What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s have PCIe buses and Ethernet cards to match, and do they have high-end CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think you may be expecting too much of the hardware?
We would prefer to be able to manage all of these distributed snort
boxes from a single place or at least from a web GUI on each box.
#1. Am I way off base thinking about using snort this way?
Assuming I am correct about the uplink speeds, this is probably the best way of doing it. The only other option would be to "collapse" those uplinks into a single area and SPAN that - but then you're in the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
#3. Am I missing something crucial that would make me look like an
idiot when I go to set this up?
First question is always: "what are you trying to achieve"? Second is "what is your budget" ;-). If you are wanting to protect your computers from your computers, then you are on the right track. If you are trying to protect your computers from "the Internet", then you're doing it wrong - you only need one NIDS at the edge of your network. Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Vivek Rajagopalan (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 22)
- Re: New snort install question livio Ricciulli (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)