[Snort-users] Getting more paranoid by the minute. :-/
Shaun T. Erickson
ste at ...11690...
Sat Apr 24 20:56:06 EDT 2004
Demetri Mouratis wrote:
> On Sat, 24 Apr 2004, Shaun T. Erickson wrote:
>>Somewhat unrelated question: Once I set this up, how much time should I
>>expect to have to spend on it daily?
> The answer is the time required depends on a number of factors: snort
> ruleset, number of hosts/nets monitored, and level of treatment given to
> each incident. You can greatly reduce the time involvement per incident
> by using a nice web front end (I use acid) and database backend
> (PostgreSQL) that will allow you to drill down on an incident and quickly
> find out more information about the offending IP and what other nefarious
> things it has done to your network.
Pending learning more about them, Acid & MySQL was what I was thinking
of. I'm trying to decide if the three snort systems should have their
own acid/mysql or if two should log to the database on the third, so I
can have one database and one acid ... I think that comes in a later
> Also, keep in mind that even on a well configured snort system, you may
> get alerts faster than you can process them. It will take some time for
> you to get used to your own environment and filter out the noise from the
> really bad stuff and then tune your ruleset and/or firewalls accordingly.
> This is an ongoing process.
More information about the Snort-users