[Snort-users] Newbie question (sorta): implementing a replacement SNORT box

Greg Webster greg at ...9390...
Thu Jun 5 13:37:11 EDT 2003


Hi all,

I guess I'm not a complete newbie, as I had some experience with SNORT
as part of the IPCop firewall linux distribution. I have some questions
though.

A few months back, a client of ours was hit with a nasty 4 day DDoS. He
ended up bringing in a consultant group who borrowed a machine from us
to set up a SNORT IDS machine on the network (alas, it was too late to
actually capture the traffic and find the DD0Sser).

Now I've got to get our machine back, which means that I've got to set
up a new client machine with SNORT. The machine will be completely
dedicated to sitting there waiting for a DDoS (or other attack?) to
happen and hopefully capture the information necessary to stop the
DDoSser permanently.

My questions are...am I going down the right road? Is this going to be
an onerous task? I'm quite proficient in linux, how long should I expect
to spend setting up SNORT to do this? Any suggestions? Please note that
I will not be able to access any configuration on the current SNORT box
(much as I wish I could).

Thanks,

Greg




More information about the Snort-users mailing list