Snort mailing list archives
cost/benefit of Snort
From: uuyys84 <uuyys84 () yahoo com>
Date: Fri, 23 Jan 2004 12:02:55 -0800 (PST)
I'm trying to come up with a cost/benefit analysis of running Snort in a network, in general terms? Can you add anything that you see is missing or wrong? A. COSTS: I would guess costs are mostly in human time (FTE) functions: -Installation, configuration -Locking down/securing the boxes' processes (i.e.: Bastille scripts, etc) -Patching -Monitoring snort logs to determine legitimate alerts -Adding, changing fine tuning filter rules -Ideally a 24/7 operation requiring HOW MANY FTEs per shift? What does the number of FTEs depend upon? -What is the "cost" of having only one shift covered? But also hardware and software costs: -Dedicated PCs (how many?) -Operating system and Support agreements for the OS -Network bandwidth (how do you address questions of how much network speed is affected by Snort boxes?) # How do you scale? # The book: "Snort 2.0 Intrusion Detection" discusses different architectures but doesnt give any kind of Rule of Thumb for number of boxes per architecture. Yes, I know it depends upon the processor, RAM and BUS speed, etc but beyond that, how do you define? # Would it be safe to say that once you see that you are dropping packets you need to add another box? Is it just trial and error ONLY? B. BENEFITS: -They can alert you to the presence of attacks (internal and external) the majority of attacks occur, knowingly or unknowingly, from within the network) -Identifies vulnerabilities and weaknesses in the perimeter protection devices: firewalls and routers -"What you dont know CAN hurt you" -Preventative knowledge: IDSs can alert you to reconnaissance scanning in your network which can alert you to impending attacks -Helps enforce security policies -Great sources of forensic evidence -Inline IDSs can halt active attacks on your network -Rounds out an overall security model Can you add anything or correct me? Thanks, ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cost/benefit of Snort uuyys84 (Jan 29)