[Snort-devel] Questionnaire for FAQ on 'how many alerts does snort receive'.

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Jun 11 07:44:03 EDT 2002


I'm not sure a realistic number can be used.  On my cable connection at
home, I see tons of BS Nimda attempts... But overall don't get tons of
hits... And that's will all rules on.  At work (a bank), we have enough
traffic going through, that we had to pear down the unnecessary rules
because it would generate thousands of alerts every hour.   I'd imagine if
you own a porn hosting service (since that's where IDS companies seem to
love to test), that you'd see exponents beyond that...

Really depends on what your network does, and on what network you are
located...

-----Original Message-----
From: Imran William Smith [mailto:iwsmith at ...1111...] 
Sent: Monday, June 10, 2002 7:53 PM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Questionnaire for FAQ on 'how many alerts does snort
receive'.


(I tried asking this on snort-users, but not a single reply after 1 day!
Maybe nobody has got snort to compile on snort-users yet :)
I think this would be a useful addition to the snort-FAQ, and
it will only take a minute of your time to complete the questionnaire...)


I want to try to answer the questions

    "How many alerts does snort receive?"
    "How much space do they take?",

by polling people and trying to summarize this into 'high / low / typical'
figures, based on size of organisation, type of rules enabled etc.

It's a question that many people will need to estimate / guess
at some point.   The results will also help if you want to know the impact
of turning on payloads / switching to a different logging type etc.

So, please take 1 minute to complete the questionnaire, and email back
to me.  I will list the contributors, but not mention publicly who submitted
which result.  If you are really paranoid, send the results from an
anonymous
email address!!  The longer your results are sampled over (number
of days), the more useful, to make a better average.  A few
'don't knows' are fine...



Questionnaire:
-----------------

month/year of capture:

version of snort:

description of rules enabled  - default? all? custom (please give details):

sensor environment - what kind/size of organisation, location of sensor etc:

inside some kind of firewall (Y/N):

bandwidth sniffed (ISDN, ADSL, 10, 100, gigabit etc):

duration of sniffing (days):

total number of alerts raised:

format of alerting - text/fast, text/full (this is the default), tcpdump,
database (what type?) etc:

payloads captured (Y/N):

total disk space taken by the alerts (including payloads if captured,
database indexes etc):




Thanks everyone.  I'll post detailed results later (maybe after 1 week?),
along with a bit of analysis.


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia





_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list