Snort mailing list archives
Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)
From: Brian <bmc () snort org>
Date: Thu, 29 May 2003 17:05:08 -0400
On Thu, May 29, 2003 at 01:46:02PM -0500, Williams Jon wrote:
I apologize if this seems a bit troll-like, I don't intend it to be. I posted this message a couple of weeks ago and got zero responses. A few days later, someone else asked about Fortune 500 users and I saw, I think, one response. While I read this list a lot, I'm starting to wonder if I'm asking questions in the right place.
Well, this is the place. There are a ton of large corporations, government, and military installations (not just US mil & gov). I know for a fact that snort is used all over the place. I'll go through your questions one by one and try and answer so you don't feel as if you are talking to a void.
I've been using snort for a while now, something like 2-3 years, and am monitoring a moderate amount of traffic (i.e. the busiest box is watching between 50-60 mbps sustained during business hours, and I've got several scattered across multiple timezones). I believe, rightly or wrongly, that I've gone through the same phases that I see a lot of people go through on this list (how do I build it, why doesn't it run, why do I get so many alerts for stuff I don't care about, how do I write a custom rule) and am now starting to ask other questions, like the one below. Since I don't get any response, I'm not sure if
a) people are too concerned about their corporate security to share,
Yep. Basically, if you talk on a product/tool mailing list, you probably use that tool. Security people are generally very paranoid about security stuff.
b) are willing to share but are no longer on this particularl list,
Nah, mostly people don't like to share because they fear they don't know enough (though, most times their fears are invalid) or they figure Erek will answer your questions. (Erek rocks, but he's only two or three guys, and sometimes in the exchange between the three guys, things get dropped. :P)
c) are willing to answer, but my situation is unique,
Could be. That happens quite a bit.
or d) there's no answer to my problems.
Could be. I don't remember your question, but I have about 300 emails from snort-users that I haven't read yet.
So, is there a better list for advanced snort issues and/or enterprise snort deployment questions?
Nope. This is the place. This list does get quite a bit of traffic, so maybe waiting a few more days for someone to answer might be appropriate. We've got to wade through all of those php/acid/mysql/postgres/linux-8.0 questions to get to the "new" ones. -brian ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Williams Jon (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Bamm Visscher (May 29)
- RE: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) dave (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Brian (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Erek Adams (May 29)
- <Possible follow-ups>
- RE: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Jonathan Jesse (May 30)