Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uses of multiple sensors

From: "sunzi" <sunzi () mod-x co uk>
Date: Thu, 20 Mar 2003 07:32:04 -0500
Bishan,

I use multiple sensors to break up my rulesets according to the systems(s)
there protecting. I've been known to create a single node for
network-centric attacks, and others for rules directly affecting various
operating systems in the LAN.

Also, on the actual systems that I run snort (some are physically located on
critical servers) I use it to drasticly lighten the load of the sensor in
question. For example, on Web servers, I am known to run multiple instances
of snort, a primary that is only concerned about port 80, one that looks at
everythign else according to O/S, and one that I have ready to go to sniff
100% of traffic from a subnet on that machine. I also have a tendancy to use
a highly restricted ruleset and couple it with BlackIce for my Win32 Servers
to provide auto-blockage for a limited ruleset of y choosing.

It may seem kinda drastic, or even crazy, but it's flexible, and still light
on memory when tweaked well. I've been able to easily run upwards of 10
snort nodes on a production Web server that was getting well over 200
concurrant users, and has been known to get 500+.

hth,
sunzi

----- Original Message -----
From: "Always Bishan" <bishan4u () yahoo co uk>
To: <snort-users () lists sourceforge net>
Sent: Thursday, March 20, 2003 6:30 AM
Subject: [Snort-users] uses of multiple sensors



hi snorters,

i have 2 snort sensors in my network.

one use that i can make out of having multiple sensors
is for load balancing, that is , i can put it to watch
small networks and thus reduce the load on every
instance.

i think it would be quite beneficial for all of us, if
some snort greats present here can enlighten us more
on *uses of having multiple sensors*

this will definitely help all a lot of us, now and in
future.

Thanx in advance.

Bishan

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC.
Does your code think in ink? You could win a Tablet PC.
Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC.  
Does your code think in ink? You could win a Tablet PC. 
Get a free Tablet PC hat just for playing. What are you waiting for? 
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: