[Snort-users] Basic questions about snort

Paul Asadoorian paul.com at ...530...
Sat Apr 14 23:59:53 EDT 2001

I am working on configuring snort in my organization.  We have many remote
sites, some of which use an Internet VPN to connect back to the main office.
These sites will have a snort intrusion detection system.  Corporate plans
to have at least 3 external sensors, and 3 internal sensors.  With all these
sensors I had to come up with a solution that wouldn't drive me nuts trying
to crunch all that data.  Here's what I am working on:

Sensor Systems:
PC PIII 500Mhz+, 128mb RAM, 20gig disk
OpenBSD 2.8
Customized Snorticus Scripts
OpenSSH 2.3

Analysis Database System:
Sun Enterprise 450 Dual 440Mhz processors, 512mb RAM, 40gig
Solaris 8
OpenSSH 2.3
Postgres (Latest version)
Acid/PHP (Latest versions)
Apache 1.3.14
Customized Snorticus Scripts

Basically we place the sensors where ever we need them on the network.  The
sensors run snort and log to tcpdump binary format and create a tar.gz file
every hour.  The database ssh's to the sensor every hour and retrieves the
tarball.  The database then post-processes the data, and using the database
output plugin, writes it to postgres.  The data is then analyzed using Acid
(with Apache and PHP as the underlying technologies).  The sensors on the
internet and the database server grab the GMT time and date from
tick.usno.navy.mil, and the internal sensors will grab the data from the
database server.  Sensors will also grab syslog from routers and firewalls
on their respective networks and report back to a central syslog server.

This is kinds what I am thinking, hope it helps.  Anyone have any
suggestions, comments?  Love to hear your opinion.... If I get this going,
and it works well, I plan to write a paper on how it all works and how to
set it up in your own environment.

Paul Asadoorian
Internet Security Engineer
----- Original Message -----
From: Jason Lewis <jlewis at ...1831...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, April 14, 2001 8:51 PM
Subject: [Snort-users] Basic questions about snort

> First, if there is a FAQ that covers my questions could someone point me
> it?  I haven't been able to find one.
> Has anyone deployed snort in an enterprise class network?  If so, where
> you go to help you get things working?  I am looking to roll snort out and
> don't want to reinvent the wheel.  If there isn't one, I will document my
> experience.
> Does snort get along with ipchains?  If I run snort on the same interface
> that I am running ipchains rules on, will it be able to detect attacks?  I
> guess the real question is, do the ipchains rules run before snort has a
> chance to see them?
> Jason
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list