[Snort-users] Deploying snort - Feedback reqd
cmorford at ...3733...
Wed Oct 10 04:59:06 EDT 2001
First, I'm running Snort on Win2k,with no DB...
I'm snorting about 15 subnets with 1 sensor on a mirrored port on my switch.
(Which my network guys handle, don't ask me any switch config questions...)
I have a couple of schedeled jobs that shuffle the log every 30 minutes and
archive every 6 hours.
The shuffled log is emailed to me by the shuffling process, with a command
line launched sendmail...
I have generated, long-term average, about 50 megs of files every 24
hours...Until recently, when I decided to PASS all the $HOME_NET ->
$HOME_NET ICMP traffic...Now my logs are down to about 15 megs in 24
Hostmaster, NC Dept. of Transportation
Shane Machon wrote:
> I am fairly new to snort, after running it up on some development
> servers I see its massive potential for our network servers.
> Im looking for feedback or case studies from people who have this sort
> of scenario:
> Ive got 6 sensors that I want to run snort on, and report to a central
> system (either db or syslogd).
> I just have some simple questions would like some feedback on.
> 1. Im guessing (very roughly) I would get aproximately 100+ alerts per
> remote server per day (This is almost impossible to guess as snort is
> not running on these machines yet). How much traffic would this generate
> on the remote computer? (Traffic comes at a cost ;)
> Are we just talking kilobytes of data or potentially megabytes of data?
> Is there some sort of calculation that I could use to work this out
> based on the approximation above (average bytes sent to a db for each
> 2. What is the best way of analysing the data? Would ACID be the best
> solution (based on there only being 1 Sysadmin to maintain all these
> servers)? Or has anyone run an email type solution that uses syslog and
> other programs (like logcheck perhaps) to send the sysadmin messages
> when the alert file is updated?
> I hope many others have been in this situation, and I hope that these
> people can provide me with their success stories on deploying snort.
> SHANE MACHON
> Network Administrator
> Technical Project Manager
> Two Purple Plums Pty Ltd.
> TPP Internet Development
> (NetNames Australasia)
> PO Box 334, Manly
> NSW, 1655, Australia
> Tel. +61 2 9970 5242
> Fax. +61 2 9970 8262
> Eml. shane at ...2397...
> TPP Internet Development (NetNames Australasia)
> The International Domain Name Registry
> Registering Domain Names in over 200 countries
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 425 bytes
Desc: Card for Chuck Morford
More information about the Snort-users