[Snort-users] Whatever OS We Use

Erickson Brent W KPWA erickson at ...160...
Mon Mar 18 07:49:02 EST 2002


Whatever OS we use, Snort is the only pig I know that can fly through the
bandwidth, glide through the alerts on ACID, and stream binary captured data
at 100 miles an hour between two systems.

We have been using Snort since version 1.6 and the only limitations we have
encountered so far with Snort have been the limitations of our own
imagination.

So we use Snort for:

1. Real time alerting (in many probes and attacks, Snort provides us an
early enough warning to take action provided we are paying attention)

2. Near real time or after action analysis. Give me the data content on that
suspicious alert e-mail message that I just received.

3. Snort in the DMZ in front of two other Snort systems behind a firewall
that can be used as a firewall and internal Snort system rules verifier.
Shows us and allows us to test what our outer firewall is or is not
effectively blocking. Configure Snort alerts according to your inner and
outer firewall rules for testing and if you try to break into your own
systems.

4. Snort on a Laptop. A great tool for troubleshooting local and remote
customer network connectivity and firewall problems. Big bonus here Marty
not to take anything away from TCPDUMP or Ethereal which we also use. We are
able to quickly troubleshoot many customer connectivity problems with Snort
in a matter of minutes. They call you up, you get their address, and in
seconds after: snort -d -l log host xxx.xxx.xxx.xxx you are capturing their
traffic and detecting what is or is not happening. Saves allot of
troubleshooting time and money and makes many happy customers.

5. Snort logging all traffic for archive and analysis, two Snort sniffers
streaming the data to 2 NICs on a terabyte server with direct crossover
cables.

6. Snort discovery system. Learn that traffic. What is going on with these
high outbound or inbound ports. So we do a one trick pony system (1 or 2
rules). Maybe we should call it a one trick piggy system. Like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 4500: (msg:"High Port Inbound
Connect Attempt"; flags:S; tag:session,6,packets;)

This and more is all possible thanks to all of you and I mean it.

Brent Erickson




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020318/6c84cec6/attachment.html>


More information about the Snort-users mailing list