Snort mailing list archives
Re: Getting more paranoid by the minute. :-/
From: "Shaun T. Erickson" <ste () smxy org>
Date: Sat, 24 Apr 2004 23:55:45 -0400
Demetri Mouratis wrote:
On Sat, 24 Apr 2004, Shaun T. Erickson wrote:Somewhat unrelated question: Once I set this up, how much time should I expect to have to spend on it daily?The answer is the time required depends on a number of factors: snort ruleset, number of hosts/nets monitored, and level of treatment given to each incident. You can greatly reduce the time involvement per incident by using a nice web front end (I use acid) and database backend (PostgreSQL) that will allow you to drill down on an incident and quickly find out more information about the offending IP and what other nefarious things it has done to your network.
Pending learning more about them, Acid & MySQL was what I was thinking of. I'm trying to decide if the three snort systems should have their own acid/mysql or if two should log to the database on the third, so I can have one database and one acid ... I think that comes in a later chapter. :)
Also, keep in mind that even on a well configured snort system, you may get alerts faster than you can process them. It will take some time for you to get used to your own environment and filter out the noise from the really bad stuff and then tune your ruleset and/or firewalls accordingly. This is an ongoing process.
Ok. -ste ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Paul Schmehl (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Chris Burton (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Demetri Mouratis (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Alejandro Flores (Apr 25)
- Re: Getting more paranoid by the minute. :-/ Chris Burton (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Paul Schmehl (Apr 24)
- RE: Getting more paranoid by the minute. :-/ Jim Hendrick (Apr 25)
- Re: Getting more paranoid by the minute. :-/ AJ Butcher, Information Systems and Computing (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Andreas (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 26)
- <Possible follow-ups>
- RE: Getting more paranoid by the minute. :-/ Romulo M. Cholewa (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- RE: Getting more paranoid by the minute. :-/ Donofrio, Lewis (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Corey Rock (Apr 29)