Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Implementation Guide - ACID-MySQL-Redhat7.2

From: Steve Scott <sjscott007 () earthlink net>
Date: 25 Jul 2002 13:34:04 -0500
Actually, 10/100 hubs are cheap.  They cost about 30 - 40 bucks and
unless your utilizing 70 to 80 percent of your bandwidth the hubs will
work just fine.   For redundancy just keep some spares around.

We have two T-3(90 megs) that are utilizing about 60 percent of the
bandwidth without any problems.

You don't want to put all the segments on one hub. for a couple of
reasons:

1. You will see all the traffic for all the segments and not be able to
distinguish between the segments.

2.  You probably have a ton of collisions, thus you have performance
issue. 

The other option is to buy a switch that supports port mirroring and
VLANS.  This is expensive and depending on the amount of traffic you may
overburden the switch.

The illustration shows 3 separate IDS systems.  In reality you can have
one snort box with multiple interfaces that monitor each segment.  Just
make sure you have a powerful enough box.

Regards,

Steve


On Tue, 2002-07-23 at 04:09, Iñaki Martínez wrote:

Hi!!!


I recently finished a large scale deployment of snort sensors, and
produced a guide.  Your can find it at
http://home.earthlink.net/~sjscott007/

Let me know what you think.


 Really GOOD work........

 I would ask you two questions:

 In the graph "Conceptual Physical IDS Layout":

 1) if there is nothing between firewall and internet, how to implement
the external IDS????

 2) how to substitute (use other method) the HUBs???
    I think that use 3 HUBS and each of them use only 3 ports it is
expensive.


 Thanks for your guide!!!!!!!









-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: