[Snort-users] Snort Analisys platform

Michael Boman michael.boman at ...11827...
Tue Nov 30 05:51:09 EST 2004

Sorry, this email was meant to be a quick reply and ended up as an
essay... Read below for my reply.

On Tue, 23 Nov 2004 08:10:54 +0100, max <supermax at ...12723...> wrote:
> Hello Everybody.
> I am confident Snort can work well in this enviroment, but I am
> evaluating software for the event analisys task. I used Acid for some
> times in smaller enviroment, and really like it, but I don't know if it
> can permit user to query events with a db with more than 10 Million events.

I dubt it, ACID gets problem with 1/4 million alerts so don't bet on it...

> The platform should have strong possibility to see event from different
> point of view (source IP, Dest IP, Event Name, Network Sensor Name, etc)
> and drill down to better analize. This approch is the only one I have
> found that permit to analize so much events.

Sounds like you just described sguil (www.sguil.net). It's not web
based (needs a client on each analyst machine) but scales very well
and can do so much more then just browse alerts. If you drop by
#snort-gui at irc.freenode.net during US daytime you can get yourself
a tour of the system from anyone who feels ready for it. At the
website there are screenshots and flash demo's (yes bamm, the rest of
them are on their way - trust me ;) ).

To understand the whole NSM concept better I'd recomend "The Tao of
Network Security Monitoring: Beyond Intrusion Detection" By Richard
Bejtlich. I found the book very good and it has a chapter on sguil too
(which is also available for download at the publisher site). More
info about the book and where to get sample chapters etc can be found
at the authors website: www.taosecurity.com

> Do you have any experience to share on software (commercial/opensource),
> that can permit Snort events analisys for an enviroment with so much
> events?

First off, don't alert of things you are not really interested in (ie:
do not just enable all rules in snort without giving it at least a
second thought). It will just use more resources (both hardware and
human). There is no easy way to get it right though, all networks are
different. Some general thoughts: a internet worm exiting your network
is more troublesome then a internet worm entering your network (first
one is confirmed infection - the second one is a potential infection,
if the system isn't patched).

NIDS are not a silver bullet and shouldn't be treated as such - use
the right tool for the right job. Example: even if it's possible for
snort to detect some viruses, it's more cost effective (btw: cost
doesn't always mean money) to have anti-virus on email and proxy
server (or other choke points). Don't let any PHB's tell you

Practice NSM. Sure, it requires more resources to get going - but when
the sh*t hits the fan you sure are happy that you took the extra step.

You will need something to manage the snort config and rules on so
many machines. You will also need to have a decent update
infrastructure in place to keep all those boxes in place - you don't
want to spend more time managing the systems then analysing the

Plan for the "what now?" step (a.k.a. Incident Response). If you
detect an intrusion: who will do what? When? Why? etc.. Remember:
detection doesn't make your system or network any more secure if there
isn't a response...

Hope that this will get you started...

Best regards
 Michael Boman

More information about the Snort-users mailing list