Snort mailing list archives
Re: New snort install question
From: livio Ricciulli <livio () metaflows com>
Date: Mon, 21 May 2012 18:27:29 -0700
On 05/21/2012 02:19 PM, Sallee, Stephen (Jake) wrote:
Good plan. Power supplies always go; it is not a question of if, it is a question of when..Jason, thank you for your response. > What are the uplinks?The uplinks are 1Gb. The idea would be to span a port on the switch and let the snort box passively analyze that traffic with a separate link on the snort box for management and reporting. We are thinking that this would be the easiest way to sniff our traffic yet keep the box out of band. That way even if it does get bogged down it won't introduce latency into the network.
As a back of the envelope calculation. If you use PF_RING (to run 3-4 snort processes in parallel on you 3-4 hyperthreads), roughly, you will be able to monitor 100-300 Mbps with ~6000 rules.> ... do they have high-end CPUs...Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 Gb NIC.Does that sound sufficient for real time monitoring? We are not interested in historical reporting right now as we are planning on sending the events to a syslog server and our NAC.
See www.*snort*.org/assets/186/*PF_RING*_*Snort*_Inline_Instructions.pdf
You are smart.. Internal monitoring can be challenging because of the rule tuning required; but it is also very important in my opinion. Today smart phones/ laptops traverse firewalls every day; so perimeter defenses are getting obsolete.. You are going to need a good event management system..> ... what are you trying to achieve...We are indeed trying to protect our LAN from internal threats. We have a well-protected internet facing edge but as a university we have a few thousand non-university owned assets that access our network every day. Once these devices are on my network they have bypassed my armored edge and are able to poke away at my soft belly ... I don't like that.
-----Original Message----- From: Jason Haar [mailto:Jason_Haar () trimble com] Sent: Monday, May 21, 2012 3:34 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] New snort install question On 22/05/12 07:37, Sallee, Stephen (Jake) wrote: > > We have 50+ buildings on campus and the idea is to place a single > snort box in each building and have it sniff the uplink traffic, then > report back to our NAC system (Packetfence). The goal was to be able > to use some of our older desktops (Dell 960s) as kind of snort nodes > with no keyboard, mouse or monitor. > > >What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s have PCIe buses and Ethernet cards to match, and do they have high-end CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think you may be expecting too much of the hardware?> We would prefer to be able to manage all of these distributed snort > boxes from a single place or at least from a web GUI on each box. > > > > #1. Am I way off base thinking about using snort this way? >Assuming I am correct about the uplink speeds, this is probably the best way of doing it. The only other option would be to "collapse" those uplinks into a single area and SPAN that - but then you're in the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)> > #3. Am I missing something crucial that would make me look like an > idiot when I go to set this up? > > >First question is always: "what are you trying to achieve"? Second is "what is your budget" ;-). If you are wanting to protect your computers from your computers, then you are on the right track. If you are trying to protect your computers from "the Internet", then you're doing it wrong - you only need one NIDS at the edge of your network.Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs)-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Live Security Virtual ConferenceExclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ Snort-users mailing listSnort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Vivek Rajagopalan (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 22)
- Re: New snort install question livio Ricciulli (May 22)
- Re: New snort install question Sallee, Stephen (Jake) (May 21)
- Re: New snort install question Jason Haar (May 21)