[Snort-users] Security Metrics and Snort

Wynn Fenwick wfenwick at ...2714...
Thu Mar 21 13:15:36 EST 2002

We're running Snort for quite awhile and I came up with a pretty decent
set of objectives and metrics to support it for security management to
see the value that Snort is providing us.

Currently we report the following:
- num alerts per week
- num and severity of incidents
  - based on NSW/Northcutt's Criticality+Lethality-(Network+System
- num lines in the analyst diary txt file (I know, I know but it's
better than saying "yep, the IDS DA spent 8 hours today doing
monitoring...:) - Our 1.5 analysts keep interesting stuff in a diary
like the duty handler they used to do at incidents.org. This is some
measure on level of effort for analysis other than "hours" which is
artificially constant.

What statistical reports/metrics do you present to your management to
justify an IDS program and specifically a Snort deployment?

Has anyone ever done a dreaded total cost of ownership analysis on a
Snort IDS vs [insert commercial products here] I am always being asked
"but yeah it costs more to maintain because you need to know Unix, Perl,
AND Apache". My answer is usually - the IDS analyst needs to know that
anyway to be an effective analyst so it's a moot point.


More information about the Snort-users mailing list