[Snort-users] Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

Erek Adams erek at ...950...
Thu May 29 16:13:06 EDT 2003

On Thu, 29 May 2003, Williams Jon wrote:

> I apologize if this seems a bit troll-like, I don't intend it to be.

If you're a Troll, then I'll be Billy-Goat Gruff [0].  ;-)

> I posted this message a couple of weeks ago and got zero responses.  A
> few days later, someone else asked about Fortune 500 users and I saw, I
> think, one response.  While I read this list a lot, I'm starting to
> wonder if I'm asking questions in the right place.

No, you are.  See below.

> I've been using snort for a while now, something like 2-3 years, and am
> monitoring a moderate amount of traffic (i.e. the busiest box is watching
> between 50-60 mbps sustained during business hours, and I've got several
> scattered across multiple timezones).  I believe, rightly or wrongly, that
> I've gone through the same phases that I see a lot of people go through on
> this list (how do I build it, why doesn't it run, why do I get so many
> alerts for stuff I don't care about, how do I write a custom rule) and am
> now starting to ask other questions, like the one below.  Since I don't get
> any response, I'm not sure if

> a) people are too concerned about their corporate security to share,

This is the case for a some folks.  You might be surprised to find out how
much lists like this are monitored for some little tidbit of info.

> b) are willing to share but are no longer on this particularl list,

Again some.  Many of the people on this list who are willing to share are
still around, but some have gone away.

> c) are willing to answer, but my situation is unique,

I don't see your situation as unique--It's just a bit unusual.  For the
most part many companies don't/won't have anyone but you to handle the
security work.

> or d) there's no answer to my problems.

There is, but it depends on you and what's good for your organization.  No
matter what people setup at their site in all reality it won't be the
'perfect' thing for you.

> So, is there a better list for advanced snort issues and/or enterprise snort
> deployment questions?  If not, are there people on this list who've gone
> through these issues and don't want to discuss them in a public forum?  As I
> said, I'm not trying to be a rabble-rouser, it's just that the great support
> from the mailing list was one of the selling points when I convinced
> management to go Open Source, so it's a bit confusing/embarrassing when I
> send out questions that get no response at all.

As for a better forum--No.  This is the beginner and advanced area.  :)

As for the answer to your problem...  Well, it's complicated.  You have to
examine your current setup and operation to find all the faults that it
has.  You'll then need to dream up how you would like things to 'really
work'.  Sadly, reality of what you can do is somewhere in the middle of
those two.  There is no perfect solution, and there never will be.

As for ideas...  Well, here's some in no order:

	*  Layered setup
	*  Use something other than ACID (sguil [1])
	*  Use something like NetCool [2]
	*  Divide things up by 'Zones', services, or IP.

Anyway, there are tons more.  It's only limited by your imagination and
funding.  ;-)  If you're interested in specifics, let me know and I'll
explain it in more detail.

Hope that's some help!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.funpagesforkids.com/billy/
[1]	http://sguil.sourceforge.net/
[2]	http://www.micromuse.com/products/netcool_suite_overview.html

More information about the Snort-users mailing list