Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New snort install question

From: "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu>
Date: Mon, 21 May 2012 21:19:34 +0000
Jason, thank you for your response.




What are the uplinks?


The uplinks are 1Gb.  The idea would be to span a port on the switch and let the snort box passively analyze that 
traffic with a separate link on the snort box for management and reporting.  We are thinking that this would be the 
easiest way to sniff our traffic yet keep the box out of band.  That way even if it does get bogged down it won't 
introduce latency into the network.




... do they have high-end CPUs...


Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 Gb NIC.

Does that sound sufficient for real time monitoring?  We are not interested in historical reporting right now as we are 
planning on sending the events to a syslog server and our NAC.




... what are you trying to achieve...


We are indeed trying to protect our LAN from internal threats.  We have a well-protected internet facing edge but as a 
university we have a few thousand non-university owned assets that access our network every day.  Once these devices 
are on my network they have bypassed my armored edge and are able to poke away at my soft belly ... I don't like that.




... what is your budget...


: ) effectively $0.00





Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) 
LANs - it's >just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more 
FPs)

That's why we are thinking of taking a cautious approach and not enabling bunch of rules to start with.  We would only 
enable rules that we are comfortable with and would pilot them on a subset of our population first ... this is of 
course in a perfect world.

The main reason that we are looking into this is because we are effectively an ISP for our users and while our internet 
facing edge is protected our internal network is largely way too trusting.  Since we have adopted a BYOD stance we have 
to regard our internal network as having the same hostility as the internet, simply because the same devices that are 
out there are being brought in here... and it's a scary, scary world out there!



I would greatly appreciate any suggestions and or feedback any users have. Thank you.





Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

900 College St.

Belton TX. 76513

Fone: 254-295-4658

Phax: 254-295-4221

HTTP://WWW.UMHB.EDU





-----Original Message-----
From: Jason Haar [mailto:Jason_Haar () trimble com]
Sent: Monday, May 21, 2012 3:34 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] New snort install question



On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:






We have 50+ buildings on campus and the idea is to place a single



snort box in each building and have it sniff the uplink traffic, then



report back to our NAC system (Packetfence).  The goal was to be able



to use some of our older desktops (Dell 960s) as kind of snort nodes



with no keyboard, mouse or monitor.














What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s have PCIe buses and Ethernet cards to match, and 
do they have high-end CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think you may be expecting too 
much of the hardware?




We would prefer to be able to manage all of these distributed snort



boxes from a single place or at least from a web GUI on each box.















#1. Am I way off base thinking about using snort this way?








Assuming I am correct about the uplink speeds, this is probably the best way of doing it. The only other option would 
be to "collapse" those uplinks into a single area and SPAN that - but then you're in the 10-100Gbs range...? Meethinks 
that's a harder problem to solve ;-)






#3. Am I missing something crucial that would make me look like an



idiot when I go to set this up?














First question is always: "what are you trying to achieve"? Second is "what is your budget" ;-). If you are wanting to 
protect your computers from your computers, then you are on the right track. If you are trying to protect your 
computers from "the Internet", then you're doing it wrong - you only need one NIDS at the edge of your network.



Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) 
LANs - it's just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs)



--

Cheers



Jason Haar

Information Security Manager, Trimble Navigation Ltd.

Phone: +1 408 481 8171

PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





------------------------------------------------------------------------------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can 
respond. Discussions will include endpoint security, mobile security and the latest in malware threats. 
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: