Newbie question (sorta): implementing a replacement SNORT box

[Greg Webster <greg () intouch ca>]

Hi all,

I guess I'm not a complete newbie, as I had some experience with SNORT
as part of the IPCop firewall linux distribution. I have some questions
though.

A few months back, a client of ours was hit with a nasty 4 day DDoS. He
ended up bringing in a consultant group who borrowed a machine from us
to set up a SNORT IDS machine on the network (alas, it was too late to
actually capture the traffic and find the DD0Sser).

Now I've got to get our machine back, which means that I've got to set
up a new client machine with SNORT. The machine will be completely
dedicated to sitting there waiting for a DDoS (or other attack?) to
happen and hopefully capture the information necessary to stop the
DDoSser permanently.

My questions are...am I going down the right road? Is this going to be
an onerous task? I'm quite proficient in linux, how long should I expect
to spend setting up SNORT to do this? Any suggestions? Please note that
I will not be able to access any configuration on the current SNORT box
(much as I wish I could).

Thanks,

Greg


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users