Snort mailing list archives

Re: Best Enterprise Snort Configuration

From: Bennett Todd <bet () rahul net>
Date: Fri, 14 Feb 2003 12:40:16 -0500

2003-02-14T10:52:28 Kreimendahl, Chad J:

What brings on the need for 60-70 sensors?


I can't speak for the original questioner, but in my case it is
simply a proliferation of interfaces we want to watch, most of them
distinctly geographically separated, combined with a preference for
using the cheapest possible 1U sensors and not having to sweat
tuning them for performance.

There may be many better ways to consolidate several links into
one (monitoring a DMZ or VLAN for example)...


In some cases, where we have both modest bandwidth and
physical proximity, we're doing just that; since we're
snorting on Red Hat 7.3, we can just use the bonding driver
(/usr/src/linux/Documentation/networking/bonding.txt, ifenslave is
the command to enable it) to consolidate traffic.

But if longer-distance backhauls or higher-bandwidth-capable
platforms would be required, we just roll out separate sensors. In a
world-wide enterprise, this happens a lot.

Depending on how much money you want to spend (hardware/software),
you may consider people like sourcefire or demarc.  If you have
inhouse developers, you may even consider using them to develop a
tool.


I developed enterprise configuration management components for this;
the config is completely packaged, including the tuned sigs, and an
automatic package updater allows for convenient maintenance.

I would recommend Oracle if you're going to plan on having more
than a few hundred thousand records in the DB.


Another approach is to consolidate using syslog. With sensors placed
inside the perimeter (so attacks that are turned away aren't seen at
all), and tuned to eliminate false positives, the alert volumes are
modest, and syslog aggregates quite conveniently.

I would recommend dual 1.4+GHz box for doing 2 gigE or quad
ethernet.


2 or more gigE can make sense if interface constraints require it
(e.g. if bonding together the outputs from a tap), but a single box
can't handle more than 50Mbps without tuning, 200-300Mbps with
tuning, possibly approaching 500-600Mbps with the best tuned
software and PCIx busses.

-Bennett

Attachment: _bin
Description:

Current thread:

RE: Best Enterprise Snort Configuration McPheeters, Scott (Feb 12)
- <Possible follow-ups>
- RE: Best Enterprise Snort Configuration Hutchinson, Andrew (Feb 12)
- RE: Best Enterprise Snort Configuration Kreimendahl, Chad J (Feb 14)
  - Re: Best Enterprise Snort Configuration Bennett Todd (Feb 14)