Snort mailing list archives
Re: Snort Analisys platform
From: Michael Boman <michael.boman () gmail com>
Date: Tue, 30 Nov 2004 21:50:48 +0800
Sorry, this email was meant to be a quick reply and ended up as an essay... Read below for my reply. On Tue, 23 Nov 2004 08:10:54 +0100, max <supermax () spymac com> wrote:
Hello Everybody. I am confident Snort can work well in this enviroment, but I am evaluating software for the event analisys task. I used Acid for some times in smaller enviroment, and really like it, but I don't know if it can permit user to query events with a db with more than 10 Million events.
I dubt it, ACID gets problem with 1/4 million alerts so don't bet on it...
The platform should have strong possibility to see event from different point of view (source IP, Dest IP, Event Name, Network Sensor Name, etc) and drill down to better analize. This approch is the only one I have found that permit to analize so much events.
Sounds like you just described sguil (www.sguil.net). It's not web based (needs a client on each analyst machine) but scales very well and can do so much more then just browse alerts. If you drop by #snort-gui at irc.freenode.net during US daytime you can get yourself a tour of the system from anyone who feels ready for it. At the website there are screenshots and flash demo's (yes bamm, the rest of them are on their way - trust me ;) ). To understand the whole NSM concept better I'd recomend "The Tao of Network Security Monitoring: Beyond Intrusion Detection" By Richard Bejtlich. I found the book very good and it has a chapter on sguil too (which is also available for download at the publisher site). More info about the book and where to get sample chapters etc can be found at the authors website: www.taosecurity.com
Do you have any experience to share on software (commercial/opensource), that can permit Snort events analisys for an enviroment with so much events?
First off, don't alert of things you are not really interested in (ie: do not just enable all rules in snort without giving it at least a second thought). It will just use more resources (both hardware and human). There is no easy way to get it right though, all networks are different. Some general thoughts: a internet worm exiting your network is more troublesome then a internet worm entering your network (first one is confirmed infection - the second one is a potential infection, if the system isn't patched). NIDS are not a silver bullet and shouldn't be treated as such - use the right tool for the right job. Example: even if it's possible for snort to detect some viruses, it's more cost effective (btw: cost doesn't always mean money) to have anti-virus on email and proxy server (or other choke points). Don't let any PHB's tell you otherwise. Practice NSM. Sure, it requires more resources to get going - but when the sh*t hits the fan you sure are happy that you took the extra step. You will need something to manage the snort config and rules on so many machines. You will also need to have a decent update infrastructure in place to keep all those boxes in place - you don't want to spend more time managing the systems then analysing the alerts... Plan for the "what now?" step (a.k.a. Incident Response). If you detect an intrusion: who will do what? When? Why? etc.. Remember: detection doesn't make your system or network any more secure if there isn't a response... Hope that this will get you started... Best regards Michael Boman ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Analisys platform mamo (Nov 27)
- Re: Snort Analisys platform Kevin Johnson (Nov 27)
- Re: Snort Analisys platform Andreas Östling (Nov 28)
- Re: Snort Analisys platform Sam Evans (Nov 28)
- <Possible follow-ups>
- RE: Snort Analisys platform Harper, Patrick (Nov 28)
- Snort Analisys platform max (Nov 29)
- Re: Snort Analisys platform Michael Boman (Nov 30)