[Snort-users] distributed snort

Michael Boman michael at ...3137...
Wed Oct 3 00:19:02 EDT 2001

On Wed, Oct 03, 2001 at 11:17:34AM +0800, meling wrote:
> Hi,
> I'm developing a distributed intrusion detection architecture using 
> Snort on the IDS sensors. We're targeting to deploy > 50 sensors on 
> multiple networks. These sensors will push the alert logs to 1 central
> console, where data crunching and analysis will take place.
> My questions are:
> 1. How feasible it is to send alert logs from 50 sensors to 1 central console? 
>    The central console will have several different components in itself,
>    such as data parsing, etc.

Except that you have a single point of failure there is not much
problem.. I would recommend to use something like barnyard once it
has DB support, else a network outage will be quite servere.
> 2. What is the most efficient way to make sure that Snort is runnig 24x7 on
>    the sensors? Is tcpserver any good? 

supervise (daemontools) is a choice.. or if you are running linux
just stick snort in /etc/inittab

> 3. What are the best data consolidation techniques available? My concern is 
>    that when too many data are displayed from various sensors on the 
>    monitoring console, security analyst will tend to ignore them. 

You could limit your analysts to a certain number of sensors to
monitor, so they wont get overwhelmed. What you have to look at is
to limit the number of non-interesting/no-action alerts, as if they
are not get anything interesting to look at they will start browing
sites etc.. Make sure that there are procedures for your techichians
to follow. Where we work things like portscans we basicly ignore,
meaning that we won't delete them but at most we drop one of the
standard letters to the ISP in charge. If we are getting attempted
system/admin attempt or acctually a complete compromise the reaction
will be quite different.

Basicly, if they are looking for info about your host you put them
in the suspected criminals basket. If they break in you call the
police. People tend to do info gathering before attacking the host,
hence we have a lookout for these people.

Best regards
 Michael Boman

There is no such thing as a system that is secure out of the box.
Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this
morning that he had found one at WalMart the other day that was
secure out of the box, but as it turns out that was a Nintendo.

-- Jesper M Johansson, Ph.D. Assistant Professor of Information
   Systems at Boston University - during a SANS audio broadcast

More information about the Snort-users mailing list