Snort Implementation

["Adam Towarnyckyj" <adamt () commspeed net>]

Howdy all,
            I'm new to the Network Operations field and I just recently
started working at an ISP. I've used Snort in the past, and was
wondering what various forms of implementation other network admins use
for Snort. Like, do you use a dedicated Snort server and have all
traffic routed through it first? Do you park it somewhere on the network
and set the Home and External net variables?
            I'm just wondering because recently I set a server up here
to use Snort. I have it sitting in the server room hooked up to our
master switch. I set the variables for the external network and the
internal network but I'm not getting NEARLY the amount of traffic I
thought I would be. Like, I know many of our users here use Kazaa but I
get no Kazaa alerts whatsoever. I DO get alerts, but mostly alerts
coming from our going to the server IP that Snort is running on. I've
gotten a few other alerts but not many at all.
            So I was also wondering if this setup is poor implementation
and if there is a better way of doing this. I mean, obviously putting
two network cards on this server and hooking one to our router and one
to the switch would be best. I'd catch ALL traffic coming in and going
out. However, this would be a weak point in our network and if this
server failed in some way, we'd lose everything. Plus, they won't let me
do that. :-)
            If anyone can help me out with some suggestions, I'd
appreciate it. I've received emails from other network admins telling us
of activity originating from our network and they include Snort logs as
proof. I'd like to be able to do this myself in the best possible manner
without causing a bottleneck. Thanks!
 
Adam Towarnyckyj
Network Operations
CommSpeed
http://www.commspeed.net/
Phone: 928-772-1111 x131