Snort mailing list archives
Re: Snort on networks with heavy load.
From: Thomas Springer <tuev () serveraudit net>
Date: Mon, 04 Feb 2002 12:16:01 +0100
I wonder if there are any other Snort-users that have any experience in using Snort on heavily loaded networks? I would be glad to get some advice
500 workstations here and ~20 heavy-traffic-web/application-servers here, 10.000 alarms/day.
don't log portscans, cut out the icmps. cut the ruleset as far as possible, try the fast-options for logging instead of logging directly to the db. snort catches 100% packets of approx. 8-12 MBit/s here on an out of the box Celeron 700/256MB.
Currently I have removed a lot of signatures, and Snort is not getting all our traffic. I am logging to a Mysql db, and using ACID as web-frontend (which is SLOW btw). The number of daily alerts is between 5k and 10k.
we're using snortsnarf as frontend (problem: eats up _massive_ amounts of mem when analyzing big logfiles). another possibility is to use multiple snort-sensors for different networks or rulesets. e.g. one for the proxies/gatways connecting your users to the net, one for the servers outside dmz and one for servers inside dmz. there's usually no prob with running two or three sensors on one machine. if you have multiple subnets, it could make sense to use multiple snort-processes for these as well. what i see here is, that the usual net-noise (nimda, code-red, proxyscans....) differs extremely depending on the subnet (I monitor a few 195.30.* and 217.5.*) and depending on the machines on my side of the network (workstations // servers) - so i decided to separate these in different snorts. you'll always have part of this net-noise in your logs - the art is, to see the different or new alerts or patterns. sorry for not having the golden rule, ts Thomas Springer _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on networks with heavy load. John-Magne Bredal (Feb 04)
- Re: Snort on networks with heavy load. Chris Keladis (Feb 04)
- <Possible follow-ups>
- Re: Snort on networks with heavy load. Thomas Springer (Feb 04)
- RE: RE: Snort on networks with heavy load. John-Magne Bredal (Feb 04)