[Snort-users] Snort Deployment Suggestions

Josh Berry josh.berry at ...10221...
Wed Feb 25 13:23:07 EST 2004


The way my company monitors multiple subnets (not as many as you, around
15) is with a combination of systems.  We use TopLayers IDS Balancer to
aggregate data from our asymetrical routed data center.  Then we feed
everything into a Crossbeam C30 appliance.  Crossbeam makes general
purpose hardened security appliances.  We are running 10 instances of
Snort and the box still runs great.  The box has 2 Gigabit ports and about
16 10/100.

Josh


> Greetings,
>
> I have a need for some experienced feedback/wisdom on Snort deployment.
> I have a large network (50 subnets) that we want to monitor for
> Intrusion Detection.
>
> Initally my plan was to include 3-4 Snort boxes in various strategic
> locations, such as the Backbone, behind the firewall of our core
> servers, and a couple admin specific networks, recording alerts/events
> to a local MySQL server Database, and having a batch script copying
> those various MySQL databases into a single Oracle repository for
> analysis.
>
> After discussion of my plan with management, it was suggested that we
> monitor all 50 subnets for Intrusion attempts. The only cost effective
> way I could think to do this was to have multiple servers with 2-4
> multiport NICs and setup Snort to monitor each individual subnet. I
> would have one server as a MySQL database server, have each
> multiport/MultiNIC machine report back to a local MySQL database, and as
> before, have all of these MySQL Databases write back to a single Oracle
> Repository.
>
> Snort Stack
> +-----------------------+
> |  MySQL Server  |
> +-----------------------+
> +-----------------------+
> |  Snort #1           |
> +-----------------------+
> +-----------------------+
> |  Snort #2           |
> +-----------------------+
> +-----------------------+
> |  Snort #3           |
> +-----------------------+
> +-----------------------+
> |  Snort #4           |
> +-----------------------+
>
> Snort #1-4 being boxes that contain 2-4 Multiport NICs, and saving all
> their alerts up to the MySQL server.
>
> This configuration will be located in 3 locations on campus, and have
> each of the three MySQL databases batch copy the records over to an
> oracle database for analysis.
>
> What advice could any of you offer for my situation? What books have you
> found to good and useful? Has anyone attempted to use multiport NICs to
> monitor multiple Networks?
>
> Any advice you can provide would be greatly appreciated! :D And, if I
> get this configuration to work, I'd be happy to document it and share
> the results.
>
> Thanks,
> Tom
>
> *********************************************************
> * Tom Riley                    tom.riley at ...11294... *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************
>
>
> *********************************************************
> * Tom Riley                    tom.riley at ...11294... *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************
>
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list