Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New snort install question

From: Jason Haar <Jason_Haar () trimble com>
Date: Tue, 22 May 2012 08:34:04 +1200
On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:


We have 50+ buildings on campus and the idea is to place a single
snort box in each building and have it sniff the uplink traffic, then
report back to our NAC system (Packetfence).  The goal was to be able
to use some of our older desktops (Dell 960s) as kind of snort nodes
with no keyboard, mouse or monitor. 

 


What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s
have PCIe buses and Ethernet cards to match, and do they have high-end
CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think
you may be expecting too much of the hardware?


We would prefer to be able to manage all of these distributed snort
boxes from a single place or at least from a web GUI on each box.

 

#1. Am I way off base thinking about using snort this way?



Assuming I am correct about the uplink speeds, this is probably the best
way of doing it. The only other option would be to "collapse" those
uplinks into a single area and SPAN that - but then you're in the
10-100Gbs range...? Meethinks that's a harder problem to solve ;-)


#3. Am I missing something crucial that would make me look like an
idiot when I go to set this up?

 


First question is always: "what are you trying to achieve"? Second is
"what is your budget" ;-). If you are wanting to protect your computers
from your computers, then you are on the right track. If you are trying
to protect your computers from "the Internet", then you're doing it
wrong - you only need one NIDS at the edge of your network.

Basically, lots of organizations use NIDS to monitor (LAN to) WAN or
Internet pipes, few use it to monitor (LAN to) LANs - it's just too
expensive and time-consuming (i.e there's a lot more exotic traffic
which leads to a lot more FPs)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: