[Snort-users] *very* many snort installations..
snort at ...1584...
Wed Nov 26 05:46:08 EST 2003
I was requested to look into the possibility to install snort as a
service on 'all' [XP only] workstations [*way* over 10.000] of a very
large, very global organization.
The goal is to have a better insight in the 'known bad' data flows
though out the network. Of course, the main parts of the network are
already IDS'ed so the workstation installation would be a sort of
extended sensorium to make sure we see things behind the routers,
switches, nat'ing devices & firewalls that normally go undetected untill
things go really really wrong.
The well known pitfalls of rollouts like these that I am aware of are:
- the managebility:
- collection of events
- the number of the events
- the QA
- stability of the service
- resources needed
- quality of the rules implemented
Not my problem is:
- the installation & distribution of the service, this is done for about
1000 other applications too.
- the updating of the rules [is part of the distribution]
My question is if anybody on the list has expirience [good or bad] with
a concept like this? Any pointers?
More information about the Snort-users