Snort mailing list archives

Previous By Date Next
Previous By Thread Next

cost/benefit of Snort

From: uuyys84 <uuyys84 () yahoo com>
Date: Fri, 23 Jan 2004 12:02:55 -0800 (PST)
I'm trying to come up with a cost/benefit analysis of
running Snort in a network, in general terms?

Can you add anything that you see is missing or wrong?


A.      COSTS:
        I would guess costs are mostly in human time (FTE)
functions:

        -Installation, configuration
        -Locking down/securing the boxes' processes (i.e.:
Bastille scripts, etc)
        -Patching 
        -Monitoring snort logs to determine legitimate alerts
        -Adding, changing fine tuning filter rules
        -Ideally a 24/7 operation requiring HOW MANY FTEs per
shift?  What does the number of FTEs depend upon?
        -What is the "cost" of having only one shift covered?


        But also hardware and software costs:

        -Dedicated PCs (how many?)  
        -Operating system and Support agreements for the OS
        -Network bandwidth (how do you address questions of
how much network speed is affected by Snort boxes?)


# How do you scale? 
# The book: "Snort 2.0 Intrusion Detection" discusses
different architectures but doesn’t give any kind of
Rule of Thumb for number of boxes per   architecture. 
Yes, I know it depends upon the processor, RAM and BUS
speed, etc…but beyond that, how do you define?
# Would it be safe to say that once you see that you
are dropping packets you need to add another box?  Is
it just trial and error ONLY?


B.      BENEFITS:

        -They can alert you to the presence of attacks
(internal and external) the majority of attacks occur,
knowingly or unknowingly, from within the network)
        -Identifies vulnerabilities and weaknesses in the
perimeter protection devices: firewalls and routers
        -"What you don’t know CAN hurt you"
        -Preventative knowledge: IDSs can alert you to
reconnaissance scanning in your network which can
alert you to impending attacks
        -Helps enforce security policies
        -Great sources of forensic evidence
        -Inline IDSs can halt active attacks on your network
        -Rounds out an overall security model


Can you add anything or correct me?

Thanks,



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: