Snort mailing list archives
Re: Best Enterprise Snort Configuration
From: Bennett Todd <bet () rahul net>
Date: Wed, 12 Feb 2003 12:36:18 -0500
Different answers will work best for different folks, with different needs. There is no one universal "Best". Best for a given setting must include harmony with local practices, standards, and expertise. Don't underestimate the engineering effort required to maintain these things; different sensors will get false positives on different signatures; if you want to keep as many sigs enabled as possible on every sensor, while keeping it affordable to do quick updates, you need to plan on doing something to manage the complexity of signature management. I've done this --- enterprise deployment, c. 80 sensors --- with 1U rackmounts running Red Hat 7.3. I rpmmed snort, and separately rpmmed the sigs. A third rpm delivered the initscript and log management. An automatic rpm updater script pulls updates of any of these things from a central server. The sigs rpm builds a package that delivers /etc/snort/ from snortrules-stable.tar.gz, producing many patched versions of snort.conf and various *.rules files, #-ing out various preprocessors, #-ing out various sids. This patching I do mostly with "perl -pi -e ..." invocations. The snort event data I forward via syslog to a central collection server, where it then gets grovelled over by a commercial logfile analyzer/correlator (IBM Tivoli RiskManager). -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Arguments for Snort, (continued)
- Re: Arguments for Snort Shane Williams (Feb 11)
- Re: Arguments for Snort Paul Schmehl (Feb 11)
- Best Enterprise Snort Configuration tfandango (Feb 12)
- Re: Best Enterprise Snort Configuration Paul Schmehl (Feb 12)
- Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
- Re: Best Enterprise Snort Configuration twig les (Feb 12)
- Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
- Re: Arguments for Snort Paul Schmehl (Feb 11)
- Re: Arguments for Snort Shane Williams (Feb 11)
- Re: Best Enterprise Snort Configuration Saad Kadhi (Feb 12)
- Re: Best Enterprise Snort Configuration Michael Boman (Feb 12)
- Re: Best Enterprise Snort Configuration Joerg Weber (Feb 12)
- Re: Best Enterprise Snort Configuration Bennett Todd (Feb 12)