Re: Getting more paranoid by the minute. :-/

[Demetri Mouratis <dmourati () cm math uiuc edu>]

On Sat, 24 Apr 2004, Shaun T. Erickson wrote:
> Somewhat unrelated question: Once I set this up, how much time should I
> expect to have to spend on it daily?

The answer is the time required depends on a number of factors: snort
ruleset, number of hosts/nets monitored, and level of treatment given to
each incident.  You can greatly reduce the time involvement per incident
by using a nice web front end (I use acid) and database backend
(PostgreSQL) that will allow you to drill down on an incident and quickly
find out more information about the offending IP and what other nefarious
things it has done to your network.

Also, keep in mind that even on a well configured snort system, you may
get alerts faster than you can process them.  It will take some time for
you to get used to your own environment and filter out the noise from the
really bad stuff and then tune your ruleset and/or firewalls accordingly.
This is an ongoing process.

---------------------------------------------------------------------
Demetri Mouratis
dmourati at linfactory.com



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users