[Snort-users] *very* many snort installations..

Mokum snort at ...1584...
Wed Nov 26 05:46:08 EST 2003


I was requested to look into the possibility to install snort as a 
service on 'all' [XP only] workstations [*way* over 10.000] of a very 
large, very global organization.

The goal is to have a better insight in the 'known bad' data flows 
though out the network. Of course, the main parts of the network are 
already IDS'ed so the workstation installation would be a sort of 
extended sensorium to make sure we see things behind the routers, 
switches, nat'ing devices & firewalls that normally go undetected untill 
things go really really wrong.

The well known pitfalls of rollouts like these that I am aware of are:
- the managebility:
       - collection of events
       - the number of the events

- the QA
       - snort.exe
             - stability of the service
             - resources needed
       - quality of the rules implemented

Not my problem is:
- the installation & distribution of the service, this is done for about 
1000 other applications too.
- the updating of the rules [is part of the distribution]

My question is if anybody on the list has expirience [good or bad] with 
a concept like this? Any pointers?


More information about the Snort-users mailing list