Snort mailing list archives
Re: New install questions.
From: "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu>
Date: Thu, 7 Mar 2013 00:46:39 +0000
Jake, I would argue the opposite.
Greg, you make an excellent point. A honeypot server would be a better solution for outside the FW. Pair that with the IDS internally and I may just have a good working theory.... Thank you! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: Greg Williams [mailto:gwillia5 () uccs edu] Sent: Wednesday, March 06, 2013 6:14 PM To: Sallee, Stephen (Jake); snort-users () lists sourceforge net Subject: RE: [Snort-users] New install questions. Jake, I would argue the opposite. Your firewall is there for a reason. If you are bombarded with seeing on what is happening on the outside of your perimeter you may miss something that did make it past your firewall. I might suggest a honeypot outside your firewall to see who is banging on your perimeter. Block the IPs that come from that. Sounds like you are almost the same size as we are. Typically ~400-600Mbps of traffic. I use SO for my home network. It's a great tool. Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure From: Sallee, Stephen (Jake) [mailto:Jake.Sallee () umhb edu] Sent: Wednesday, March 06, 2013 5:01 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] New install questions. Thank you all for your input! I also just realized that all of my replies are not going to the list ... blasted outlook
: (
IMHO, you need to be on the inside of the firewall, let the firewall block the majority of the nonsense, and let Snort concentrate on what actually makes it through the Firewall.
I thought about this, and the only reason I thought about the outside of the FW was that I would like to know when someone is hammering on my FW. The analogy I was envisioning was listening for the bad guy banging on the door and not the sound of the door breaking in. I am trying to adopt a more proactive security posture, if I only sniff traffic inside the firewall then I would be missing the attempts at a break-in and only seeing if they are successful, at that time I am already in trouble. Am I missing something? Also (this is the part that didn't make it to the list) someone mentioned Security Onion. SO is AMAZING! I did a POC deployment and my management went nuts for it. I am scheduled to deploy a SO sensor net with about 50-60 sensors this summer, sniffing all my internal traffic. So a BIG thank you to Doug. My only concern about SO in this instance is its constant packet capture feature, which is fantastic on my internal links, but my internet link is at an almost constant 250Mb/sec bursting to 500Mb/sec. Accounting for logs and packet capture data that is almost 3TB a day ... that's actually not too bad. Hmmmm.... Thank you all again! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, March 06, 2013 3:24 PM To: Sallee, Stephen (Jake) Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] New install questions. On Mar 6, 2013, at 3:30 PM, "Sallee, Stephen (Jake)" <Jake.Sallee () umhb edu<mailto:Jake.Sallee () umhb edu>> wrote: 1) Normally where would you deploy a SNORT IDS? My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall. IMHO, you need to be on the inside of the firewall, let the firewall block the majority of the nonsense, and let Snort concentrate on what actually makes it through the Firewall. 2) What kind of hardware do I need? Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right. I would like to be able to use as many rules as possible, but more rules = more CPU and RAM. Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec). You'll probably need something like flow dividing and pinning to CPUs. There are lots of articles out there on this information. One of the more recent that discuss this topic (although it really doesn't tell you how to configure Snort: http://erratasec.blogspot.com/2013/02/multi-core-scaling-its-not-multi.html ) Worth a good read. I believe the Security Onion distro does this now (Doug, care to confirm?) 3) Homebrew vs. Vendor. Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in general. Thank you. But, is the GUI and support necessary? Depends on your use case, but for an enterprise, at the speeds you are talking, a GUI would make things easier to manage and simpler to use. If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first? I don't want to discuss our product on list, as vendor discussion is pretty much disallowed, but you are welcome to contact me off list. We do not offer a paid support offering for Snort from Sourcefire, but we do offer services for Snort: http://www.snort.org/services, the VRT rules are always supported by the VRT at any time if you buy a subscription or not. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Heine Lysemose (Mar 06)
- Re: New install questions. Joel Esler (Mar 06)
- Re: New install questions. Doug Burks (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Greg Williams (Mar 06)
- Re: New install questions. Sallee, Stephen (Jake) (Mar 06)
- Re: New install questions. Gregory W. MacPherson (Mar 11)
- Re: New install questions. Greg Williams (Mar 07)
- <Possible follow-ups>
- Re: New install questions. Sallee, Stephen (Jake) (Mar 07)