Snort mailing list archives
Re: Snort Deployment Configurations
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Mon, 7 Feb 2011 12:01:40 -0500
I most definitely deploy multiple sensors in various locations running different rulesets (and potentially gathering different data types). I expect most successful NSM deployments do the same. When deploying sensors, the best advice I can give is put as much (more?) focus on the perceived threat as you do on your infrastructure. Don't fall into the infrastructure security stigma (i.e "IDS goes w/the FW". "IDS monitoring to meet compliance requirements of critical assets", etc). Instead, first look at the threats you face and how those actors may exploit weaknesses within your infrastructure to gain access to the data they desire. Then determine which locations on your network best leverage your ability to detect and respond to incidents from these actors. Most of the time, this process will lead to the deployment of many (smaller) sensors versus one sensor to rule them all. I expect dollars and perceived simplicity drive the "one sensor" mentality, but in my experience, it's at the cost of reduced ability to detect and respond to security incidents. Bamm On Thu, Feb 3, 2011 at 7:31 PM, Michael Lubinski <michael.lubinski () gmail com> wrote:
I find myself thinking more and more in the realm of NSM and Snort. I have been running different theoretical deployment situations in my head on how / where I would deploy a snort sensor. I thought "Why don't I just ask the people that work with it everyday." I would imagine running Snort on the outside of your network would net a different set of rules being active as would a Snort sensor running internally. Does anyone run Snort in multiple locations with varied purposes like this example? Before I started to really dig into snort I always thought of it as a inline gateway monitor / filter between you and the world, but the more I learn that it can be much more universal depending on the rules included. What other considerations might someone new to snort such as myself overlook at first thought? ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- sguil - The Analyst Console for NSM http://sguil.sf.net ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort Deployment Configurations, (continued)
- Re: Snort Deployment Configurations waldo kitty (Feb 03)
- Re: Snort Deployment Configurations Martin Holste (Feb 03)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Crusty Saint (Feb 07)
- Re: Snort Deployment Configurations Ray Caparros (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Bamm Visscher (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Joel Esler (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)