Re: Best Enterprise Snort Configuration

[Bennett Todd <bet () rahul net>]

Different answers will work best for different folks, with different
needs. There is no one universal "Best". Best for a given setting
must include harmony with local practices, standards, and expertise.

Don't underestimate the engineering effort required to maintain
these things; different sensors will get false positives on
different signatures; if you want to keep as many sigs enabled
as possible on every sensor, while keeping it affordable to do
quick updates, you need to plan on doing something to manage the
complexity of signature management.

I've done this --- enterprise deployment, c. 80 sensors --- with 1U
rackmounts running Red Hat 7.3. I rpmmed snort, and separately
rpmmed the sigs. A third rpm delivered the initscript and log
management. An automatic rpm updater script pulls updates of any of
these things from a central server.

The sigs rpm builds a package that delivers /etc/snort/ from
snortrules-stable.tar.gz, producing many patched versions of
snort.conf and various *.rules files, #-ing out various
preprocessors, #-ing out various sids. This patching I do mostly
with "perl -pi -e ..." invocations.

The snort event data I forward via syslog to a central collection
server, where it then gets grovelled over by a commercial logfile
analyzer/correlator (IBM Tivoli RiskManager).

-Bennett

Attachment: _bin
Description: