[Snort-users] Deploying snort - Feedback reqd

Chuck Morford cmorford at ...3733...
Wed Oct 10 04:59:06 EDT 2001


Hi,
First, I'm running Snort on Win2k,with no DB...

I'm snorting about 15 subnets with 1 sensor on a mirrored port on my switch.
(Which my network guys handle, don't ask me any switch config questions...)

I have a couple of schedeled jobs that shuffle the log every 30 minutes and
archive every 6 hours.
The shuffled log is emailed to me by the shuffling process, with a command
line launched sendmail...

I have generated, long-term average, about 50 megs of files every 24
hours...Until recently, when I decided to PASS all the $HOME_NET ->
$HOME_NET ICMP traffic...Now my logs are down to about 15 megs in 24
hours...

Chuck Morford
Hostmaster, NC Dept. of Transportation

Shane Machon wrote:

> Greetings,
>
> I am fairly new to snort, after running it up on some development
> servers I see its massive potential for our network servers.
>
> Im looking for feedback or case studies from people who have this sort
> of scenario:
>
> Ive got 6 sensors that I want to run snort on, and report to a central
> system (either db or syslogd).
>
> I just have some simple questions would like some feedback on.
>
> 1. Im guessing (very roughly) I would get aproximately 100+ alerts per
> remote server per day (This is almost impossible to guess as snort is
> not running on these machines yet). How much traffic would this generate
> on the remote computer? (Traffic comes at a cost ;)
> Are we just talking kilobytes of data or potentially megabytes of data?
> Is there some sort of calculation that I could use to work this out
> based on the approximation above (average bytes sent to a db for each
> attack)?
>
> 2. What is the best way of analysing the data? Would ACID be the best
> solution (based on there only being 1 Sysadmin to maintain all these
> servers)? Or has anyone run an email type solution that uses syslog and
> other programs (like logcheck perhaps) to send the sysadmin messages
> when the alert file is updated?
>
> I hope many others have been in this situation, and I hope that these
> people can provide me with their success stories on deploying snort.
>
> Cheers,
>
> SHANE MACHON
> Network Administrator
> Technical Project Manager
> Two Purple Plums Pty Ltd.
> TPP Internet Development
> (NetNames Australasia)
>
>   PO Box 334, Manly
>   NSW, 1655, Australia
>   Tel. +61 2 9970 5242
>   Fax. +61 2 9970 8262
>   Eml. shane at ...2397...
>
>     ==========================================
>     TPP Internet Development (NetNames Australasia)
>     The International Domain Name Registry
>     Registering Domain Names in over 200 countries
>     http://www.netnames.com.au
>     http://www.internetdevelopment.com.au
>     http://www.twoplums.com.au
>     ==========================================
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cmorford.vcf
Type: text/x-vcard
Size: 425 bytes
Desc: Card for Chuck Morford
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/6108f646/attachment.vcf>


More information about the Snort-users mailing list