[Snort-users] Snort Deployment Configurations
Jason.Haar at ...294...
Sun Feb 6 22:38:32 EST 2011
On 02/04/2011 04:11 PM, Martin Holste wrote:
> I currently run Snort in multiple configurations on the gateway, but I
> used to run it between servers and clients in the data center. This
> proved to be a total waste of time--the amount of traffic that needs
> to be inspected combined with the massive amount of false positives
> proved to be ineffective for useful intel for the amount of effort
> required. For monitoring the inside of the network, I recommend a
> strategy of Netflow, firewall logs, and server logs before you start
> trying IDS on that amount and kind of traffic.
Just as an aside: have you ever found a practical use for NetFlow beyond
detecting saturated pipes? e.g. like seeing spikes and tracking that
back to something "bad" that *wasn't* a DoS tool? I just wonder if using
mrtg to monitor for saturation would do 99.9% of what people actually
use NetFlow for... On large networks, NetFlow basically makes graphs of
traffic going up and down - you can get per-port if you're lucky. But
the complexity of real networks just makes me think detecting "bad
things" beyond DoS tools isn't really plausible?
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users