Re: Getting more paranoid by the minute. :-/

["Shaun T. Erickson" <ste () smxy org>]

Demetri Mouratis wrote:

> On Sat, 24 Apr 2004, Shaun T. Erickson wrote:
>
> > Somewhat unrelated question: Once I set this up, how much time should I
> > expect to have to spend on it daily?
>
>
> The answer is the time required depends on a number of factors: snort
> ruleset, number of hosts/nets monitored, and level of treatment given to
> each incident.  You can greatly reduce the time involvement per incident
> by using a nice web front end (I use acid) and database backend
> (PostgreSQL) that will allow you to drill down on an incident and quickly
> find out more information about the offending IP and what other nefarious
> things it has done to your network.

Pending learning more about them, Acid & MySQL was what I was thinking 
of. I'm trying to decide if the three snort systems should have their 
own acid/mysql or if two should log to the database on the third, so I 
can have one database and one acid ... I think that comes in a later 
chapter. :)

> Also, keep in mind that even on a well configured snort system, you may
> get alerts faster than you can process them.  It will take some time for
> you to get used to your own environment and filter out the noise from the
> really bad stuff and then tune your ruleset and/or firewalls accordingly.
> This is an ongoing process.

Ok.

        -ste


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users