[Snort-users] Snort Deployment Configurations

Crusty Saint saintcrusty at ...11827...
Mon Feb 7 03:13:21 EST 2011


Netflow can also be used to reconstruct a history for connections as they
were made, no real replay, just what ip from port x to what ip to port x ...
at least that's what we used it for during tests

2011/2/7 Jason Haar <Jason.Haar at ...294...>

> On 02/04/2011 04:11 PM, Martin Holste wrote:
> > I currently run Snort in multiple configurations on the gateway, but I
> > used to run it between servers and clients in the data center.  This
> > proved to be a total waste of time--the amount of traffic that needs
> > to be inspected combined with the massive amount of false positives
> > proved to be ineffective for useful intel for the amount of effort
> > required.  For monitoring the inside of the network, I recommend a
> > strategy of Netflow, firewall logs, and server logs before you start
> > trying IDS on that amount and kind of traffic.
> Just as an aside: have you ever found a practical use for NetFlow beyond
> detecting saturated pipes? e.g. like seeing spikes and tracking that
> back to something "bad" that *wasn't* a DoS tool? I just wonder if using
> mrtg to monitor for saturation would do 99.9% of what people actually
> use NetFlow for... On large networks, NetFlow basically makes graphs of
> traffic going up and down - you can get per-port if you're lucky. But
> the complexity of real networks just makes me think detecting "bad
> things" beyond DoS tools isn't really plausible?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110207/d33aec47/attachment.html>


More information about the Snort-users mailing list