[Snort-users] Basic questions about snort

Jason Lewis jlewis at ...1831...
Sat Apr 14 23:58:57 EDT 2001


That is exactly the kind of thing I am looking for.

What are you planning to do about alerting?

Can ACID handle Cisco logs?  I have been using fwlogwatch to parse cisco
logs for viewing on the web.  I use swatch to alert me to logged attacks.

I haven't had a chance to look at Snorticus, but I was thinking of using it
in a similar fashion.

Thanks for the feedback,

jas

-----Original Message-----
From: Paul Asadoorian [mailto:paul.com at ...530...]
Sent: Sunday, April 15, 2001 12:00 AM
To: jlewis at ...1831...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Basic questions about snort


I am working on configuring snort in my organization.  We have many remote
sites, some of which use an Internet VPN to connect back to the main office.
These sites will have a snort intrusion detection system.  Corporate plans
to have at least 3 external sensors, and 3 internal sensors.  With all these
sensors I had to come up with a solution that wouldn't drive me nuts trying
to crunch all that data.  Here's what I am working on:

Sensor Systems:
PC PIII 500Mhz+, 128mb RAM, 20gig disk
OpenBSD 2.8
Snort-1.7beta8
Customized Snorticus Scripts
OpenSSH 2.3

Analysis Database System:
Sun Enterprise 450 Dual 440Mhz processors, 512mb RAM, 40gig
Solaris 8
OpenSSH 2.3
Snort-1.7beta8
Postgres (Latest version)
Acid/PHP (Latest versions)
Apache 1.3.14
Customized Snorticus Scripts


Basically we place the sensors where ever we need them on the network.  The
sensors run snort and log to tcpdump binary format and create a tar.gz file
every hour.  The database ssh's to the sensor every hour and retrieves the
tarball.  The database then post-processes the data, and using the database
output plugin, writes it to postgres.  The data is then analyzed using Acid
(with Apache and PHP as the underlying technologies).  The sensors on the
internet and the database server grab the GMT time and date from
tick.usno.navy.mil, and the internal sensors will grab the data from the
database server.  Sensors will also grab syslog from routers and firewalls
on their respective networks and report back to a central syslog server.

This is kinds what I am thinking, hope it helps.  Anyone have any
suggestions, comments?  Love to hear your opinion.... If I get this going,
and it works well, I plan to write a paper on how it all works and how to
set it up in your own environment.

Paul Asadoorian
Internet Security Engineer
----- Original Message -----
From: Jason Lewis <jlewis at ...1831...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, April 14, 2001 8:51 PM
Subject: [Snort-users] Basic questions about snort


> First, if there is a FAQ that covers my questions could someone point me
to
> it?  I haven't been able to find one.
>
> Has anyone deployed snort in an enterprise class network?  If so, where
did
> you go to help you get things working?  I am looking to roll snort out and
I
> don't want to reinvent the wheel.  If there isn't one, I will document my
> experience.
>
> Does snort get along with ipchains?  If I run snort on the same interface
> that I am running ipchains rules on, will it be able to detect attacks?  I
> guess the real question is, do the ipchains rules run before snort has a
> chance to see them?
>
> Jason
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list