[Snort-users] Snort on networks with heavy load.

John-Magne Bredal bredal at ...4842...
Mon Feb 4 01:52:09 EST 2002


Hi.

I am in my final year in my university education, and are currently
working with security. Right now I am working with Snort, trying to get it
to send a reasonable number of alerts on our high-speed network. We have
about 12000 computers connected to it, so needless to say it is a LOT of
things going on there.

I wonder if there are any other Snort-users that have any experience in
using Snort on heavily loaded networks? I would be glad to get some advice
on this matter. What have other people who are in the same situation done?
How to decrease the number of alerts? Are there any software/projects
developed that in any way that manages the high load? How to avoid
spamming the users with alerts?

Currently I have removed a lot of signatures, and Snort is not getting all
our traffic. I am logging to a Mysql db, and using ACID as web-frontend
(which is SLOW btw). The number of daily alerts is between 5k and 10k.

Any help on the subject is greatly appreciated!

--
John Magne Bredal
Student ved NTNU - Telematikk
http://www.stud.ntnu.no/~bredal
bredal at ...4842...

"Just because you're paranoid, doesn't mean they're not after you."





More information about the Snort-users mailing list