[Snort-users] Deploying snort - Feedback reqd
hugh_fraser at ...2804...
Wed Oct 10 07:38:10 EDT 2001
> -----Original Message-----
> From: Shane Machon [mailto:shane at ...2397...]
> Sent: Tuesday, October 09, 2001 8:13 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Deploying snort - Feedback reqd
> I am fairly new to snort, after running it up on some development
> servers I see its massive potential for our network servers.
> Im looking for feedback or case studies from people who have this sort
> of scenario:
> Ive got 6 sensors that I want to run snort on, and report to a central
> system (either db or syslogd).
> I just have some simple questions would like some feedback on.
> 1. Im guessing (very roughly) I would get aproximately 100+ alerts per
> remote server per day (This is almost impossible to guess as snort is
> not running on these machines yet). How much traffic would
> this generate
> on the remote computer? (Traffic comes at a cost ;)
> Are we just talking kilobytes of data or potentially
> megabytes of data?
> Is there some sort of calculation that I could use to work this out
> based on the approximation above (average bytes sent to a db for each
The amount of traffic depends not only upon the number of events, but also
how much information you choose to gather for each event (it can vary
depending on how you configure your rules). It's certainly possible to
estimate the volume in a controlled, well-configured, steady-state
environment. But since the purpose of the IDS is to watch for anomalies,
you'll need to be aware that unexpected events like the Nimda virus have the
capacity to generate huges amounts of traffic from your IDS.
> 2. What is the best way of analysing the data? Would ACID be the best
> solution (based on there only being 1 Sysadmin to maintain all these
> servers)? Or has anyone run an email type solution that uses
> syslog and
> other programs (like logcheck perhaps) to send the sysadmin messages
> when the alert file is updated?
ACID is a good real-time analysis tool. However, don't have the luxury of
having someone watch a display 24x7. Getting the number of alerts down to a
manageable number is on-going process, but a necessary one to get to the
point where exception reporting is possible. It's an on-going process,
involving tailoring the ruleset to reflect our environment, and some add-on
code to selectively page only for certain alerts.
> I hope many others have been in this situation, and I hope that these
> people can provide me with their success stories on deploying snort.
> SHANE MACHON
> Network Administrator
> Technical Project Manager
> Two Purple Plums Pty Ltd.
> TPP Internet Development
> (NetNames Australasia)
> PO Box 334, Manly
> NSW, 1655, Australia
> Tel. +61 2 9970 5242
> Fax. +61 2 9970 8262
> Eml. shane at ...2397...
> TPP Internet Development (NetNames Australasia)
> The International Domain Name Registry
> Registering Domain Names in over 200 countries
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users