[Snort-users] Getting more paranoid by the minute. :-/

Demetri Mouratis dmourati at ...3877...
Sat Apr 24 20:50:05 EDT 2004


On Sat, 24 Apr 2004, Shaun T. Erickson wrote:
> Somewhat unrelated question: Once I set this up, how much time should I
> expect to have to spend on it daily?

The answer is the time required depends on a number of factors: snort
ruleset, number of hosts/nets monitored, and level of treatment given to
each incident.  You can greatly reduce the time involvement per incident
by using a nice web front end (I use acid) and database backend
(PostgreSQL) that will allow you to drill down on an incident and quickly
find out more information about the offending IP and what other nefarious
things it has done to your network.

Also, keep in mind that even on a well configured snort system, you may
get alerts faster than you can process them.  It will take some time for
you to get used to your own environment and filter out the noise from the
really bad stuff and then tune your ruleset and/or firewalls accordingly.
This is an ongoing process.

---------------------------------------------------------------------
Demetri Mouratis
dmourati at linfactory.com





More information about the Snort-users mailing list