Re: Snort Deployment Configurations

[Martin Holste <mcholste () gmail com>]

> Most of the time, this process will lead to the deployment of many
> (smaller) sensors versus one sensor to rule them all. I expect dollars
> and perceived simplicity drive the "one sensor" mentality, but in my
> experience, it's at the cost of reduced ability to detect and respond
> to security incidents.

Agree--that's why I recommend getting a mature logging framework up
and running before trying to do IDS in the data center.  Centralized
logging is somewhat like having a little IDS in front of every server.
 The main advantage being that you get business logic layers that are
impossible or difficult to get from the network.  That said, logging
won't do much good unless you've got it on verbose output.  For
Windows servers, turning on file modification/create logging and using
something evtsys (code.google.com/p/eventlog-to-syslog) to bulk
forward everything to a central repo is a pretty big win.  Once that
low-hanging fruit is out of the way, then you can worry about
installing and tuning all of the appropriate IDS's, which is a much
larger task if you do it in a meaningful way.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users