Snort mailing list archives

Re: Snort Deployment Configurations

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 07 Feb 2011 16:38:32 +1300

On 02/04/2011 04:11 PM, Martin Holste wrote:

I currently run Snort in multiple configurations on the gateway, but I
used to run it between servers and clients in the data center.  This
proved to be a total waste of time--the amount of traffic that needs
to be inspected combined with the massive amount of false positives
proved to be ineffective for useful intel for the amount of effort
required.  For monitoring the inside of the network, I recommend a
strategy of Netflow, firewall logs, and server logs before you start
trying IDS on that amount and kind of traffic.

Just as an aside: have you ever found a practical use for NetFlow beyond
detecting saturated pipes? e.g. like seeing spikes and tracking that
back to something "bad" that *wasn't* a DoS tool? I just wonder if using
mrtg to monitor for saturation would do 99.9% of what people actually
use NetFlow for... On large networks, NetFlow basically makes graphs of
traffic going up and down - you can get per-port if you're lucky. But
the complexity of real networks just makes me think detecting "bad
things" beyond DoS tools isn't really plausible?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Deployment Configurations Michael Lubinski (Feb 03)
- Re: Snort Deployment Configurations waldo kitty (Feb 03)
- Re: Snort Deployment Configurations Martin Holste (Feb 03)
  - Re: Snort Deployment Configurations Jason Haar (Feb 06)
    - Re: Snort Deployment Configurations Crusty Saint (Feb 07)
    - Re: Snort Deployment Configurations Ray Caparros (Feb 07)
    - Re: Snort Deployment Configurations Martin Holste (Feb 07)
    - Re: Snort Deployment Configurations Bamm Visscher (Feb 07)
    - Re: Snort Deployment Configurations Martin Holste (Feb 07)
    - Re: Snort Deployment Configurations Joel Esler (Feb 07)
- Re: Snort Deployment Configurations Jason Wallace (Feb 04)
- Re: Snort Deployment Configurations Bamm Visscher (Feb 07)
  - Re: Snort Deployment Configurations Martin Holste (Feb 07)