[Snort-users] Tips for using ACID in a mult-admin environment?

Anthony Kim Anthony.Kim at ...9338...
Fri May 30 11:32:07 EDT 2003


On Mon, May 19, 2003, Williams Jon wrote:

> I've been using snort/ACID for a couple of years now, and it's been working
> fairly well for me, but my whinging to management has been successful, and
> now I've got help.  While this is a good thing, it has introduced a new
> wrinkle that I hadn't planned for: we are now tending to tromp on each
> other's work while reviewing alerts in ACID.
> 
> Due to the number of alerts we get in a day (5000-6000/day typically,
> although a single broken machine can generate 30k+ in a matter of minutes),
> we tend to delete the alerts out of ACID but keep the tcpdump files
> indefinately.  As I said before, this worked fine with one analyst, but now
> that we've got more, we're running into the problem that one will delete the
> alerts that the other is working on or we just fall back to a single analyst
> reviewing alerts while the others do other stuff.
> 
> Has anyone come up with good practices/proceedures that they're willing to
> share that have dealt with this problem?

Hi Jon,

I believe others offered up some ideas in another thread which
you may consider.  My first impression was, well, segment
administration into manageble zones and assign owners to each
zone.

As you've seen, the stateless nature of snort/ACID management
makes for difficulties in administration.  But this is a common
IT problem.

Perhaps you can assign a duty analyst who alone is responsible
for deletes?  Once everyone is onboard, the non-duty analysts can
focus on reviewing alerts and not database maintenance.

If your situation is such that your alerts are a
neverending clickstream of deletia, then perhaps you might
reconsider what you are logging, tune your policies some more?

Regarding ACID.  I'm against the crowd on this one.  We tried it
here, but it didn't catch on.  I found myself more often than not
running snort -devr and tethereal on the libpcap files rather
than dealing with the point-click-and-wait-cycle that a web
interface gives you.

Hope I gave you some ideas.  And, yeah, lots of big companies use
snort.

Anthony




More information about the Snort-users mailing list