[Snort-users] Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

Brian bmc at ...950...
Thu May 29 14:01:01 EDT 2003

On Thu, May 29, 2003 at 01:46:02PM -0500, Williams Jon wrote:
> I apologize if this seems a bit troll-like, I don't intend it to be.  I
> posted this message a couple of weeks ago and got zero responses.  A few
> days later, someone else asked about Fortune 500 users and I saw, I think,
> one response.  While I read this list a lot, I'm starting to wonder if I'm
> asking questions in the right place.

Well, this is the place.  There are a ton of large corporations, government,
and military installations (not just US mil & gov).  I know for a fact that 
snort is used all over the place.  I'll go through your questions one
by one and try and answer so you don't feel as if you are talking to a

> I've been using snort for a while now, something like 2-3 years, and am
> monitoring a moderate amount of traffic (i.e. the busiest box is watching
> between 50-60 mbps sustained during business hours, and I've got several
> scattered across multiple timezones).  I believe, rightly or wrongly, that
> I've gone through the same phases that I see a lot of people go through on
> this list (how do I build it, why doesn't it run, why do I get so many
> alerts for stuff I don't care about, how do I write a custom rule) and am
> now starting to ask other questions, like the one below.  Since I don't get
> any response, I'm not sure if 

> a) people are too concerned about their corporate security to share,

Yep.  Basically, if you talk on a product/tool mailing list, you
probably use that tool.  Security people are generally very paranoid
about security stuff.

> b) are willing to share but are no longer on this particularl list,

Nah, mostly people don't like to share because they fear they don't
know enough (though, most times their fears are invalid) or they
figure Erek will answer your questions.  (Erek rocks, but he's only two
or three guys, and sometimes in the exchange between the three guys,
things get dropped. :P)

> c) are willing to answer, but my situation is unique,

Could be.  That happens quite a bit.

> or d) there's no answer to my problems.

Could be.  I don't remember your question, but I have about 300 emails
from snort-users that I haven't read yet.

> So, is there a better list for advanced snort issues and/or enterprise snort
> deployment questions?  

Nope.   This is the place.  This list does get quite a bit of traffic,
so maybe waiting a few more days for someone to answer might be
appropriate.  We've got to wade through all of those
php/acid/mysql/postgres/linux-8.0 questions to get to the "new" ones.


More information about the Snort-users mailing list