[Snort-users] Getting more paranoid by the minute. :-/

Shaun T. Erickson ste at ...11690...
Sat Apr 24 20:56:06 EDT 2004

Demetri Mouratis wrote:

> On Sat, 24 Apr 2004, Shaun T. Erickson wrote:
>>Somewhat unrelated question: Once I set this up, how much time should I
>>expect to have to spend on it daily?
> The answer is the time required depends on a number of factors: snort
> ruleset, number of hosts/nets monitored, and level of treatment given to
> each incident.  You can greatly reduce the time involvement per incident
> by using a nice web front end (I use acid) and database backend
> (PostgreSQL) that will allow you to drill down on an incident and quickly
> find out more information about the offending IP and what other nefarious
> things it has done to your network.

Pending learning more about them, Acid & MySQL was what I was thinking 
of. I'm trying to decide if the three snort systems should have their 
own acid/mysql or if two should log to the database on the third, so I 
can have one database and one acid ... I think that comes in a later 
chapter. :)

> Also, keep in mind that even on a well configured snort system, you may
> get alerts faster than you can process them.  It will take some time for
> you to get used to your own environment and filter out the noise from the
> really bad stuff and then tune your ruleset and/or firewalls accordingly.
> This is an ongoing process.



More information about the Snort-users mailing list