Snort mailing list archives
Re: distributed snort
From: "Tim Hughes" <tph () secgate org>
Date: Tue, 9 Oct 2001 02:55:21 -0500
Take a look at the following article from Network Computing. http://www.networkcomputing.com/1217/1217f2.html Greg Shipley writes a very good article on the current state of intrusion detection. Having decided to just beat the hell out of a box of mine, I ran Snort on 3 sensors with a completely untweaked ruleset passing the data back to mysql and ACID on the backend. After 2 days or so (15-20K alerts), I found that on my underpowered box (400 Celeron, 128 MB RAM, RedHat 6.2) it would take an exteremely long time to query the database. While you can easily have 50+ sensors reporting back to your central console, just remember you have to have some form of adequate front-end to analyse the data. With the current front-ends of ALL IDS products that I have seen, a frontend that will handle a true enterprise deployment with decent throughput and traffic does not exist. I would consider breaking your IDS deployment up into smaller more manageable chunks, as this will make the analysis much easier... Tim Hughes tph () secgate org ----- Original Message ----- From: "meling" <meling () scan-associates net> To: <snort-users () lists sourceforge net> Sent: Tuesday, October 02, 2001 10:17 PM Subject: [Snort-users] distributed snort
Hi, I'm developing a distributed intrusion detection architecture using Snort on the IDS sensors. We're targeting to deploy > 50 sensors on multiple networks. These sensors will push the alert logs to 1 central console, where data crunching and analysis will take place. My questions are: 1. How feasible it is to send alert logs from 50 sensors to 1 central
console?
The central console will have several different components in itself, such as data parsing, etc. 2. What is the most efficient way to make sure that Snort is runnig 24x7
on
the sensors? Is tcpserver any good? 3. What are the best data consolidation techniques available? My concern
is
that when too many data are displayed from various sensors on the monitoring console, security analyst will tend to ignore them. Your input are very much appreciated. --mel http://ini2.net/mel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- distributed snort meling (Oct 02)
- Re: distributed snort Michael Boman (Oct 03)
- Re: distributed snort Erek Adams (Oct 03)
- Re: distributed snort Tim Hughes (Oct 09)
- Re: distributed snort Andreas Hasenack (Oct 09)
- <Possible follow-ups>
- RE: distributed snort Fraser Hugh (Oct 03)