Re: New snort install question

[livio Ricciulli <livio () metaflows com>]

On 05/21/2012 02:19 PM, Sallee, Stephen (Jake) wrote:
> Jason, thank you for your response.
>
> > What are the uplinks?
>
> The uplinks are 1Gb.  The idea would be to span a port on the switch 
> and let the snort box passively analyze that traffic with a separate 
> link on the snort box for management and reporting.  We are thinking 
> that this would be the easiest way to sniff our traffic yet keep the 
> box out of band.  That way even if it does get bogged down it won't 
> introduce latency into the network.
Good plan. Power supplies always go; it is not a question of if, it is a 
question of when..
> > ... do they have high-end CPUs...
>
> Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 
> Gb NIC.
>
> Does that sound sufficient for real time monitoring?  We are not 
> interested in historical reporting right now as we are planning on 
> sending the events to a syslog server and our NAC.
As a back of the envelope calculation. If you use PF_RING (to run 3-4 
snort processes in parallel on you 3-4 hyperthreads), roughly, you will 
be able to monitor 100-300 Mbps with ~6000 rules.
See www.*snort*.org/assets/186/*PF_RING*_*Snort*_Inline_Instructions.pdf
> > ... what are you trying to achieve...
>
> We are indeed trying to protect our LAN from internal threats.  We 
> have a well-protected internet facing edge but as a university we have 
> a few thousand non-university owned assets that access our network 
> every day.  Once these devices are on my network they have bypassed my 
> armored edge and are able to poke away at my soft belly ... I don't 
> like that.
You are smart.. Internal monitoring can be challenging because of the 
rule tuning required; but it is also very important in my opinion. Today 
smart phones/ laptops traverse firewalls every day; so perimeter 
defenses are getting obsolete.. You are going to need a good event 
management system..

> -----Original Message-----
> From: Jason Haar [mailto:Jason_Haar () trimble com]
> Sent: Monday, May 21, 2012 3:34 PM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] New snort install question
>
> On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:
>
> >
>
> > We have 50+ buildings on campus and the idea is to place a single
>
> > snort box in each building and have it sniff the uplink traffic, then
>
> > report back to our NAC system (Packetfence).  The goal was to be able
>
> > to use some of our older desktops (Dell 960s) as kind of snort nodes
>
> > with no keyboard, mouse or monitor.
>
> >
>
> >
>
> >
>
> What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s 
> have PCIe buses and Ethernet cards to match, and do they have high-end 
> CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I 
> think you may be expecting too much of the hardware?
>
> > We would prefer to be able to manage all of these distributed snort
>
> > boxes from a single place or at least from a web GUI on each box.
>
> >
>
> >
>
> >
>
> > #1. Am I way off base thinking about using snort this way?
>
> >
>
> Assuming I am correct about the uplink speeds, this is probably the 
> best way of doing it. The only other option would be to "collapse" 
> those uplinks into a single area and SPAN that - but then you're in 
> the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
>
> >
>
> > #3. Am I missing something crucial that would make me look like an
>
> > idiot when I go to set this up?
>
> >
>
> >
>
> >
>
> First question is always: "what are you trying to achieve"? Second is 
> "what is your budget" ;-). If you are wanting to protect your 
> computers from your computers, then you are on the right track. If you 
> are trying to protect your computers from "the Internet", then you're 
> doing it wrong - you only need one NIDS at the edge of your network.
>
> Basically, lots of organizations use NIDS to monitor (LAN to) WAN or 
> Internet pipes, few use it to monitor (LAN to) LANs - it's just too 
> expensive and time-consuming (i.e there's a lot more exotic traffic 
> which leads to a lot more FPs)
>
> --
>
> Cheers
>
> Jason Haar
>
> Information Security Manager, Trimble Navigation Ltd.
>
> Phone: +1 408 481 8171
>
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ------------------------------------------------------------------------------
>
> Live Security Virtual Conference
>
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. 
> Discussions will include endpoint security, mobile security and the 
> latest in malware threats. 
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users () lists sourceforge net 
> <mailto:Snort-users () lists sourceforge net>
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!