[Snort-users] Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

Jonathan Jesse jjesse at ...9127...
Fri May 30 07:00:15 EDT 2003

While I'm not in a large situation like this, I find myself in the too
busy to respond to everything.  Also the fact that I'm the newbie to
snort I can't really help out the complicated answers.  The majority of
the problem comes down to the fact that a lot of us that use Snort are
the same person for all network related problems and are swamped with
other issues.  I like to see both the beginner and advanced comments on
the list.  It help guides me to further my knowledge of Snort.

Jonathan Jesse
Network Specialist
Founders Trust Bank
This page and any accompanying documents contain confidential
information intended for a specific individual and purpose. If you are
not the intended recipient, you are hereby notified that any disclosure,
copying, distribution, or use of the information contained herein
(including any reliance thereon) is strictly prohibited. If you received
this transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard copy

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Thursday, May 29, 2003 7:13 PM
To: Williams Jon
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Am I in the right place? (was: Tips for using
ACID in a multi-adm in environment)

On Thu, 29 May 2003, Williams Jon wrote:

> I apologize if this seems a bit troll-like, I don't intend it to be.

If you're a Troll, then I'll be Billy-Goat Gruff [0].  ;-)

> I posted this message a couple of weeks ago and got zero responses.  A
> few days later, someone else asked about Fortune 500 users and I saw,
> think, one response.  While I read this list a lot, I'm starting to
> wonder if I'm asking questions in the right place.

No, you are.  See below.

> I've been using snort for a while now, something like 2-3 years, and
> monitoring a moderate amount of traffic (i.e. the busiest box is
> between 50-60 mbps sustained during business hours, and I've got
> scattered across multiple timezones).  I believe, rightly or wrongly,
> I've gone through the same phases that I see a lot of people go
through on
> this list (how do I build it, why doesn't it run, why do I get so many
> alerts for stuff I don't care about, how do I write a custom rule) and
> now starting to ask other questions, like the one below.  Since I
don't get
> any response, I'm not sure if

> a) people are too concerned about their corporate security to share,

This is the case for a some folks.  You might be surprised to find out
much lists like this are monitored for some little tidbit of info.

> b) are willing to share but are no longer on this particularl list,

Again some.  Many of the people on this list who are willing to share
still around, but some have gone away.

> c) are willing to answer, but my situation is unique,

I don't see your situation as unique--It's just a bit unusual.  For the
most part many companies don't/won't have anyone but you to handle the
security work.

> or d) there's no answer to my problems.

There is, but it depends on you and what's good for your organization.
matter what people setup at their site in all reality it won't be the
'perfect' thing for you.

> So, is there a better list for advanced snort issues and/or enterprise
> deployment questions?  If not, are there people on this list who've
> through these issues and don't want to discuss them in a public forum?
As I
> said, I'm not trying to be a rabble-rouser, it's just that the great
> from the mailing list was one of the selling points when I convinced
> management to go Open Source, so it's a bit confusing/embarrassing
when I
> send out questions that get no response at all.

As for a better forum--No.  This is the beginner and advanced area.  :)

As for the answer to your problem...  Well, it's complicated.  You have
examine your current setup and operation to find all the faults that it
has.  You'll then need to dream up how you would like things to 'really
work'.  Sadly, reality of what you can do is somewhere in the middle of
those two.  There is no perfect solution, and there never will be.

As for ideas...  Well, here's some in no order:

	*  Layered setup
	*  Use something other than ACID (sguil [1])
	*  Use something like NetCool [2]
	*  Divide things up by 'Zones', services, or IP.

Anyway, there are tons more.  It's only limited by your imagination and
funding.  ;-)  If you're interested in specifics, let me know and I'll
explain it in more detail.

Hope that's some help!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.funpagesforkids.com/billy/
[1]	http://sguil.sourceforge.net/
[2]	http://www.micromuse.com/products/netcool_suite_overview.html

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list