Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: distributed snort

From: "Tim Hughes" <tph () secgate org>
Date: Tue, 9 Oct 2001 02:55:21 -0500
Take a look at the following article from Network Computing.
http://www.networkcomputing.com/1217/1217f2.html

Greg Shipley writes a very good article on the current state of intrusion
detection.  Having decided to just beat the hell out of a box of  mine, I
ran Snort on 3 sensors with a completely untweaked ruleset passing the data
back to mysql and ACID on the backend.  After 2 days or so (15-20K alerts),
I found that on my underpowered box (400 Celeron, 128 MB RAM, RedHat 6.2) it
would take an exteremely long time to query the database.

While you can easily have 50+ sensors reporting back to your central
console, just remember you have to have some form of adequate front-end to
analyse the data.  With the current front-ends of ALL IDS products that I
have seen, a frontend that will handle a true enterprise deployment with
decent throughput and traffic does not exist.

I would consider breaking your IDS deployment up into smaller more
manageable chunks, as this will make the analysis much easier...

Tim Hughes
tph () secgate org
----- Original Message -----
From: "meling" <meling () scan-associates net>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, October 02, 2001 10:17 PM
Subject: [Snort-users] distributed snort



Hi,

I'm developing a distributed intrusion detection architecture using
Snort on the IDS sensors. We're targeting to deploy > 50 sensors on
multiple networks. These sensors will push the alert logs to 1 central
console, where data crunching and analysis will take place.

My questions are:

1. How feasible it is to send alert logs from 50 sensors to 1 central

console?

   The central console will have several different components in itself,
   such as data parsing, etc.

2. What is the most efficient way to make sure that Snort is runnig 24x7

on

   the sensors? Is tcpserver any good?

3. What are the best data consolidation techniques available? My concern

is

   that when too many data are displayed from various sensors on the
   monitoring console, security analyst will tend to ignore them.

Your input are very much appreciated.

--mel
http://ini2.net/mel

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: