[Snort-users] Snort Deployment Configurations

Jason Haar Jason.Haar at ...294...
Sun Feb 6 22:38:32 EST 2011

On 02/04/2011 04:11 PM, Martin Holste wrote:
> I currently run Snort in multiple configurations on the gateway, but I
> used to run it between servers and clients in the data center.  This
> proved to be a total waste of time--the amount of traffic that needs
> to be inspected combined with the massive amount of false positives
> proved to be ineffective for useful intel for the amount of effort
> required.  For monitoring the inside of the network, I recommend a
> strategy of Netflow, firewall logs, and server logs before you start
> trying IDS on that amount and kind of traffic.
Just as an aside: have you ever found a practical use for NetFlow beyond
detecting saturated pipes? e.g. like seeing spikes and tracking that
back to something "bad" that *wasn't* a DoS tool? I just wonder if using
mrtg to monitor for saturation would do 99.9% of what people actually
use NetFlow for... On large networks, NetFlow basically makes graphs of
traffic going up and down - you can get per-port if you're lucky. But
the complexity of real networks just makes me think detecting "bad
things" beyond DoS tools isn't really plausible?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list