[Snort-users] Snort Deployment Suggestions

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed Feb 25 15:24:09 EST 2004


I would recommend that if you're going to be watching considerable
bandwidth... you need a system capable of polling when needed on network
cards..  This likely means freebsd5 with a bunch of intel 100M cards...
OR  sun v210s or 220s... etc.... the sun machines have quad gigabit
built into them and the OS (solaris9) does polling when packets start to
fly in high quantities.   There are other (more expensive) options such
as the crossbeam hardware and TopLayer  devices to aggregate stuff...
but when you consider the sun box is $3k... and a TopLayer IDS Balancer
is around 100k... (8 gig ports, right?)... it can get very hard to
justify.   

 

I would highly recommend NOT using mysql for this... having one
centralized server dedicated to serving the data (on Oracle) would give
you the best performance... this is assuming you have oracle DBAs...
maybe build dmz just for your IDS servers (sounds like 10 or so of
them).  And run spans from your cisco switches.

 

Now... where the balancer comes in highly valuable is taking 1 Gigabit
connection from a large switch or router and splitting up the VLANs or
subnets into separate instances of snort (with their own unique rules
based on the systems contained within each)... In this case... the 100k
or so you'd pay for it may return its value in time saved for management
and incident handling.... And all the enormous headaches given from a
snort not finely tuned.

 

 

 

-----Original Message-----
From: Tom Riley [mailto:axtjr at ...11294...] 
Sent: Wednesday, February 25, 2004 2:17 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Deployment Suggestions

 

Greetings,

 

I have a need for some experienced feedback/wisdom on Snort deployment.
I have a large network (50 subnets) that we want to monitor for
Intrusion Detection.

 

Initally my plan was to include 3-4 Snort boxes in various strategic
locations, such as the Backbone, behind the firewall of our core
servers, and a couple admin specific networks, recording alerts/events
to a local MySQL server Database, and having a batch script copying
those various MySQL databases into a single Oracle repository for
analysis.

 

After discussion of my plan with management, it was suggested that we
monitor all 50 subnets for Intrusion attempts. The only cost effective
way I could think to do this was to have multiple servers with 2-4
multiport NICs and setup Snort to monitor each individual subnet. I
would have one server as a MySQL database server, have each
multiport/MultiNIC machine report back to a local MySQL database, and as
before, have all of these MySQL Databases write back to a single Oracle
Repository.

 

Snort Stack

+-----------------------+

|  MySQL Server  |

+-----------------------+

+-----------------------+

|  Snort #1           |

+-----------------------+

+-----------------------+

|  Snort #2           |

+-----------------------+

+-----------------------+

|  Snort #3           |

+-----------------------+

+-----------------------+

|  Snort #4           |

+-----------------------+

 

Snort #1-4 being boxes that contain 2-4 Multiport NICs, and saving all
their alerts up to the MySQL server.

 

This configuration will be located in 3 locations on campus, and have
each of the three MySQL databases batch copy the records over to an
oracle database for analysis.

 

What advice could any of you offer for my situation? What books have you
found to good and useful? Has anyone attempted to use multiport NICs to
monitor multiple Networks? 

 

Any advice you can provide would be greatly appreciated! :D And, if I
get this configuration to work, I'd be happy to document it and share
the results.

 

Thanks,

Tom

 

*********************************************************
* Tom Riley                    tom.riley at ...11294... *
* Systems Engineer          UAA/ITS Infrastructure Team *
*                ----------------                       *
* "What we plant in the soil of contemplation, we shall *
*   reap in the harvest of action." -Meister Eckhart    *
*********************************************************

 

 

*********************************************************
* Tom Riley                    tom.riley at ...11294... *
* Systems Engineer          UAA/ITS Infrastructure Team *
*                ----------------                       *
* "What we plant in the soil of contemplation, we shall *
*   reap in the harvest of action." -Meister Eckhart    *
*********************************************************

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040225/6a44a511/attachment.html>


More information about the Snort-users mailing list