[Snort-users] distributed snort
tph at ...3725...
Tue Oct 9 00:55:06 EDT 2001
Take a look at the following article from Network Computing.
Greg Shipley writes a very good article on the current state of intrusion
detection. Having decided to just beat the hell out of a box of mine, I
ran Snort on 3 sensors with a completely untweaked ruleset passing the data
back to mysql and ACID on the backend. After 2 days or so (15-20K alerts),
I found that on my underpowered box (400 Celeron, 128 MB RAM, RedHat 6.2) it
would take an exteremely long time to query the database.
While you can easily have 50+ sensors reporting back to your central
console, just remember you have to have some form of adequate front-end to
analyse the data. With the current front-ends of ALL IDS products that I
have seen, a frontend that will handle a true enterprise deployment with
decent throughput and traffic does not exist.
I would consider breaking your IDS deployment up into smaller more
manageable chunks, as this will make the analysis much easier...
tph at ...3725...
----- Original Message -----
From: "meling" <meling at ...3359...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 02, 2001 10:17 PM
Subject: [Snort-users] distributed snort
> I'm developing a distributed intrusion detection architecture using
> Snort on the IDS sensors. We're targeting to deploy > 50 sensors on
> multiple networks. These sensors will push the alert logs to 1 central
> console, where data crunching and analysis will take place.
> My questions are:
> 1. How feasible it is to send alert logs from 50 sensors to 1 central
> The central console will have several different components in itself,
> such as data parsing, etc.
> 2. What is the most efficient way to make sure that Snort is runnig 24x7
> the sensors? Is tcpserver any good?
> 3. What are the best data consolidation techniques available? My concern
> that when too many data are displayed from various sensors on the
> monitoring console, security analyst will tend to ignore them.
> Your input are very much appreciated.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users