[Snort-users] distributed snort

Tim Hughes tph at ...3725...
Tue Oct 9 00:55:06 EDT 2001

Take a look at the following article from Network Computing.

Greg Shipley writes a very good article on the current state of intrusion
detection.  Having decided to just beat the hell out of a box of  mine, I
ran Snort on 3 sensors with a completely untweaked ruleset passing the data
back to mysql and ACID on the backend.  After 2 days or so (15-20K alerts),
I found that on my underpowered box (400 Celeron, 128 MB RAM, RedHat 6.2) it
would take an exteremely long time to query the database.

While you can easily have 50+ sensors reporting back to your central
console, just remember you have to have some form of adequate front-end to
analyse the data.  With the current front-ends of ALL IDS products that I
have seen, a frontend that will handle a true enterprise deployment with
decent throughput and traffic does not exist.

I would consider breaking your IDS deployment up into smaller more
manageable chunks, as this will make the analysis much easier...

Tim Hughes
tph at ...3725...
----- Original Message -----
From: "meling" <meling at ...3359...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 02, 2001 10:17 PM
Subject: [Snort-users] distributed snort

> Hi,
> I'm developing a distributed intrusion detection architecture using
> Snort on the IDS sensors. We're targeting to deploy > 50 sensors on
> multiple networks. These sensors will push the alert logs to 1 central
> console, where data crunching and analysis will take place.
> My questions are:
> 1. How feasible it is to send alert logs from 50 sensors to 1 central
>    The central console will have several different components in itself,
>    such as data parsing, etc.
> 2. What is the most efficient way to make sure that Snort is runnig 24x7
>    the sensors? Is tcpserver any good?
> 3. What are the best data consolidation techniques available? My concern
>    that when too many data are displayed from various sensors on the
>    monitoring console, security analyst will tend to ignore them.
> Your input are very much appreciated.
> --mel
> http://ini2.net/mel
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list