Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

From: Erek Adams <erek () snort org>
Date: Thu, 29 May 2003 19:12:35 -0400 (EDT)
On Thu, 29 May 2003, Williams Jon wrote:


I apologize if this seems a bit troll-like, I don't intend it to be.


If you're a Troll, then I'll be Billy-Goat Gruff [0].  ;-)


I posted this message a couple of weeks ago and got zero responses.  A
few days later, someone else asked about Fortune 500 users and I saw, I
think, one response.  While I read this list a lot, I'm starting to
wonder if I'm asking questions in the right place.


No, you are.  See below.


I've been using snort for a while now, something like 2-3 years, and am
monitoring a moderate amount of traffic (i.e. the busiest box is watching
between 50-60 mbps sustained during business hours, and I've got several
scattered across multiple timezones).  I believe, rightly or wrongly, that
I've gone through the same phases that I see a lot of people go through on
this list (how do I build it, why doesn't it run, why do I get so many
alerts for stuff I don't care about, how do I write a custom rule) and am
now starting to ask other questions, like the one below.  Since I don't get
any response, I'm not sure if



a) people are too concerned about their corporate security to share,


This is the case for a some folks.  You might be surprised to find out how
much lists like this are monitored for some little tidbit of info.


b) are willing to share but are no longer on this particularl list,


Again some.  Many of the people on this list who are willing to share are
still around, but some have gone away.


c) are willing to answer, but my situation is unique,


I don't see your situation as unique--It's just a bit unusual.  For the
most part many companies don't/won't have anyone but you to handle the
security work.


or d) there's no answer to my problems.


There is, but it depends on you and what's good for your organization.  No
matter what people setup at their site in all reality it won't be the
'perfect' thing for you.


So, is there a better list for advanced snort issues and/or enterprise snort
deployment questions?  If not, are there people on this list who've gone
through these issues and don't want to discuss them in a public forum?  As I
said, I'm not trying to be a rabble-rouser, it's just that the great support
from the mailing list was one of the selling points when I convinced
management to go Open Source, so it's a bit confusing/embarrassing when I
send out questions that get no response at all.


As for a better forum--No.  This is the beginner and advanced area.  :)

As for the answer to your problem...  Well, it's complicated.  You have to
examine your current setup and operation to find all the faults that it
has.  You'll then need to dream up how you would like things to 'really
work'.  Sadly, reality of what you can do is somewhere in the middle of
those two.  There is no perfect solution, and there never will be.

As for ideas...  Well, here's some in no order:

        *  Layered setup
        *  Use something other than ACID (sguil [1])
        *  Use something like NetCool [2]
        *  Divide things up by 'Zones', services, or IP.

Anyway, there are tons more.  It's only limited by your imagination and
funding.  ;-)  If you're interested in specifics, let me know and I'll
explain it in more detail.

Hope that's some help!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]     http://www.funpagesforkids.com/billy/
[1]     http://sguil.sourceforge.net/
[2]     http://www.micromuse.com/products/netcool_suite_overview.html


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: