Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Tips for using ACID in a mult-admin environment ?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 30 May 2003 14:36:07 -0500
First, a quick thanks to everyone who's responded.  Its good to know that
I'm not the only overworked Snort admin out there :-)

This comment brings up some interesting thoughts.  We've actually done quite
a bit of tuning.  Some sensors run almost exclusively a custom ruleset,
watching for signatures of things we suspect to be anomalies.  For example,
we watch for TCP reset packets to common ports, servers initiating outbound
TCP sessions, IP addresses that shouldn't be on our networks, packets that
shouldn't ever be routed, things like that.  Some of the rules are quite
noisy, like the TCP reset rules, but the act a bit like a mining canary: if
something is going wrong, they light up like a Christmas tree and we go from
our typical load of 5000-6000 alerts/day to 30k+ in a matter of minutes.

So, being a real smart guy, I used RRD-Tool (www.rrdtool.org) to poll the
event and iphdr tables to pull out the total number of alerts, total number
of unique source IPs, unique destination IPs, and unique signatures in the
database every 5 minutes.  By looking at the line chart, we get an easy idea
of how quickly the alert world has changed.

Of course, being lazy, I wondered, has anyone thought about getting paged
when the rate of alerts changed?  This includes not only if there's a sudden
spike in alerts where a sensor that usually generates 5/second starts doing
50/second, but also if there's an increase across all sensors or if a sensor
that's normally chatty suddenly stops alerting.

Jon

-----Original Message-----
From: Anthony Kim [mailto:Anthony.Kim () VWCREDIT COM]
Sent: Friday, May 30, 2003 1:31 PM
To: Williams Jon
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Tips for using ACID in a mult-admin
environment?

If your situation is such that your alerts are a
neverending clickstream of deletia, then perhaps you might
reconsider what you are logging, tune your policies some more?

Anthony



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: