Snort mailing list archives
RE: Best Enterprise Snort Configuration
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Fri, 14 Feb 2003 09:52:28 -0600
What brings on the need for 60-70 sensors? There may be many better ways to consolidate several links into one (monitoring a DMZ or VLAN for example)... Depending on how much money you want to spend (hardware/software), you may consider people like sourcefire or demarc. If you have inhouse developers, you may even consider using them to develop a tool. I would recommend Oracle if you're going to plan on having more than a few hundred thousand records in the DB. This will likely mean you need a machine dedicated to DB stuff, but that doesn't sound too crazy if you're talking about 60-70 sensors. Also, I would look into quad ethernet cards on a dual box. Or, if you can consolidate a DMZ of webservers or VLAN of something common, you can SPAN that out through gigabit and likely be able to have at least one, if not two gigE cards monitoring on one sensor. I would recommend dual 1.4+GHz box for doing 2 gigE or quad ethernet. Though FreeBSD typically handles network traffic better, I would personally recommend Linux for only one reason: Oracle. Other than that, FreeBSD would be the way to go. -----Original Message----- From: tfandango [mailto:tfandango () yahoo com] Sent: Wednesday, February 12, 2003 9:39 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Best Enterprise Snort Configuration Good news, I have a go for a Snort R&D project to prove that Snort can handle the traffic that our current commercial $oftware does. So I have a few questions... What is the best enterprise setup? I estimate that we will need about 60-70 sensors when it's all said and done. For an R&D project, I figure that I will start with about 2 sensors running linux. So what snort-related tools do you guys like the best? I will probably try to use mySQL to start off with and log to a central database somewhere. But what tools are available to remotely manage the snort application, display the all sensor alerts in near realtime on some central console (I assume this will be something that polls the database), etc, etc. Just looking for some opinions in this area! Thanks! tfandango __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Best Enterprise Snort Configuration McPheeters, Scott (Feb 12)
- <Possible follow-ups>
- RE: Best Enterprise Snort Configuration Hutchinson, Andrew (Feb 12)
- RE: Best Enterprise Snort Configuration Kreimendahl, Chad J (Feb 14)
- Re: Best Enterprise Snort Configuration Bennett Todd (Feb 14)