Snort on networks with heavy load.

[John-Magne Bredal <bredal () stud ntnu no>]

Hi.

I am in my final year in my university education, and are currently
working with security. Right now I am working with Snort, trying to get it
to send a reasonable number of alerts on our high-speed network. We have
about 12000 computers connected to it, so needless to say it is a LOT of
things going on there.

I wonder if there are any other Snort-users that have any experience in
using Snort on heavily loaded networks? I would be glad to get some advice
on this matter. What have other people who are in the same situation done?
How to decrease the number of alerts? Are there any software/projects
developed that in any way that manages the high load? How to avoid
spamming the users with alerts?

Currently I have removed a lot of signatures, and Snort is not getting all
our traffic. I am logging to a Mysql db, and using ACID as web-frontend
(which is SLOW btw). The number of daily alerts is between 5k and 10k.

Any help on the subject is greatly appreciated!

--
John Magne Bredal
Student ved NTNU - Telematikk
http://www.stud.ntnu.no/~bredal
bredal () stud ntnu no

"Just because you're paranoid, doesn't mean they're not after you."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users