Snort mailing list archives
Re: New snort install question
From: Jason Haar <Jason_Haar () trimble com>
Date: Tue, 22 May 2012 08:34:04 +1200
On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:
We have 50+ buildings on campus and the idea is to place a single snort box in each building and have it sniff the uplink traffic, then report back to our NAC system (Packetfence). The goal was to be able to use some of our older desktops (Dell 960s) as kind of snort nodes with no keyboard, mouse or monitor.
What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s have PCIe buses and Ethernet cards to match, and do they have high-end CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think you may be expecting too much of the hardware?
We would prefer to be able to manage all of these distributed snort boxes from a single place or at least from a web GUI on each box. #1. Am I way off base thinking about using snort this way?
Assuming I am correct about the uplink speeds, this is probably the best way of doing it. The only other option would be to "collapse" those uplinks into a single area and SPAN that - but then you're in the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
#3. Am I missing something crucial that would make me look like an idiot when I go to set this up?
First question is always: "what are you trying to achieve"? Second is "what is your budget" ;-). If you are wanting to protect your computers from your computers, then you are on the right track. If you are trying to protect your computers from "the Internet", then you're doing it wrong - you only need one NIDS at the edge of your network. Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Vivek Rajagopalan (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 22)
- Re: New snort install question livio Ricciulli (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)