[Snort-users] Security Metrics and Snort
wfenwick at ...2714...
Thu Mar 21 13:15:36 EST 2002
We're running Snort for quite awhile and I came up with a pretty decent
set of objectives and metrics to support it for security management to
see the value that Snort is providing us.
Currently we report the following:
- num alerts per week
- num and severity of incidents
- based on NSW/Northcutt's Criticality+Lethality-(Network+System
- num lines in the analyst diary txt file (I know, I know but it's
better than saying "yep, the IDS DA spent 8 hours today doing
monitoring...:) - Our 1.5 analysts keep interesting stuff in a diary
like the duty handler they used to do at incidents.org. This is some
measure on level of effort for analysis other than "hours" which is
What statistical reports/metrics do you present to your management to
justify an IDS program and specifically a Snort deployment?
Has anyone ever done a dreaded total cost of ownership analysis on a
Snort IDS vs [insert commercial products here] I am always being asked
"but yeah it costs more to maintain because you need to know Unix, Perl,
AND Apache". My answer is usually - the IDS analyst needs to know that
anyway to be an effective analyst so it's a moot point.
More information about the Snort-users