Educause Security Discussion mailing list archives
Re: Snort IDS Frontends
From: Timothy Wright <twright () ND EDU>
Date: Thu, 10 Jul 2003 18:00:05 -0500
At Notre Dame, last year we undertook a thorough examination of what were some of the top commercial brands in the NIDS business. In the end, we found that the best fit was Snort/MySQL/ACID/SnortCenter. After having our IDS in production for a short while, I can report that sizing the various system components correctly should yield smooth results. In our case, to fit our environment (and allow for future growth) we used the following: 1 four processor Xeon with about 300 gigs of hard drive (spread over RAID 1 and RAID 5 arrays) , 4 gigs of RAM 8 dual processor Xeon machines with 1.5 gigs of RAM and nominal hard drive space You might have guessed that the first of these items is our Snort/ACID database, while the second consists of the Snort sensors. All machines run Red Hat 8 and Snort 2.0. SnortCenter, although a little rough around the edges in terms of its interface, has proven quite effective in allowing us to manage all eight sensors in a centralized fashion. This system was able to handle 2 million events in a single day - however, ACID became a bottleneck with so much data on which to report during its page displays (i.e., the home page, with all of its global statistics, took a good two or three minutes to appear!). The fix was two-fold: tune the signatures to avoid white noise, and stop listening to peer-to-peer traffic. Of course, as with other universities, we do care about P2P; there's just no need to log P2P in our IDS database (all we care about are IP addresses and quantities). So far, we've effectively dealt with P2P by using IPTraf (running as a daemon on one of our eight sensors) to do a simple odometer count of all P2P traffic flowing past. An alert on these data is sent out automatically a few times each day. I should point out that I had to fix a couple of minor issues in ACID (emailing alert group data was broken, and the graphing function had no way to adjust the margins between the axes and their labels), as well as add a module to automate archiving (who wants to archive IDS data by hand??!), and automate sending out alerts if something on a watch list shows up in the database. All of my tweaks can be found in my web space: http://www.nd.edu/~twright/snortACID/ (soon, I'll have the script I'm using for IPTraf out there as well). I would have to say that I'm pleased with the results (and cost savings!!). Although the hardware we obtained for our NIDS wasn't cheap, we still spent far, far less than an equivalent commercial solution. -Tim -- Timothy Wright, CISSP Information Security Office of Information Technology University of Notre Dame (574) 631-5863 ----- Original Message ----- From: "Crawford, Charles D" <ccrawf () KU EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Thursday, July 10, 2003 5:20 PM Subject: [SECURITY] Snort IDS Frontends
Hello List, I know this has been a hot item on many listservs lately but I am
interested
to hear what other Institutions are using for front ends on Snort. We have tried ACID, PureSecure, Applied Watch. All have there pro's and cons. ACID would be great if it weren't so slow. (Free is appealling, but
doesn't
seem scalable, we had over a 500,000 records in our database and it took over 2 minutes a wack on the mouse to get anything back) PureSecure looks good --- budgets/state/money/hmmm might be a tough one to sell. Applied Watch --- Not sure How i felt about it...Pretty expensive Any feedback would be excellent. thanks Charles Crawford IT Security Officer University of Kansas (785)864-0491 ccrawf () ku edu ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Snort IDS Frontends Crawford, Charles D (Jul 10)
- <Possible follow-ups>
- Re: Snort IDS Frontends Timothy Wright (Jul 10)
- Re: Snort IDS Frontends Gerry Sneeringer (Jul 11)
- Re: Snort IDS Frontends Crawford, Charles D (Jul 11)
- Re: Snort IDS Frontends Gerry Sneeringer (Jul 11)
- Re: Snort IDS Frontends Phil Rodrigues (Jul 14)