[Snort-users] Snort Deployment Configurations

Ray Caparros arcy24 at ...11827...
Mon Feb 7 09:20:09 EST 2011


Jason,

In the past we integrated NTOP with our snort deployments as well.
It's actually great on conducting netflow analysis.

-Ray

On Mon, Feb 7, 2011 at 3:13 AM, Crusty Saint <saintcrusty at ...11827...> wrote:
> Netflow can also be used to reconstruct a history for connections as they
> were made, no real replay, just what ip from port x to what ip to port x ...
> at least that's what we used it for during tests
>
> 2011/2/7 Jason Haar <Jason.Haar at ...294...>
>>
>> On 02/04/2011 04:11 PM, Martin Holste wrote:
>> > I currently run Snort in multiple configurations on the gateway, but I
>> > used to run it between servers and clients in the data center.  This
>> > proved to be a total waste of time--the amount of traffic that needs
>> > to be inspected combined with the massive amount of false positives
>> > proved to be ineffective for useful intel for the amount of effort
>> > required.  For monitoring the inside of the network, I recommend a
>> > strategy of Netflow, firewall logs, and server logs before you start
>> > trying IDS on that amount and kind of traffic.
>> Just as an aside: have you ever found a practical use for NetFlow beyond
>> detecting saturated pipes? e.g. like seeing spikes and tracking that
>> back to something "bad" that *wasn't* a DoS tool? I just wonder if using
>> mrtg to monitor for saturation would do 99.9% of what people actually
>> use NetFlow for... On large networks, NetFlow basically makes graphs of
>> traffic going up and down - you can get per-port if you're lucky. But
>> the complexity of real networks just makes me think detecting "bad
>> things" beyond DoS tools isn't really plausible?
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The modern datacenter depends on network connectivity to access resources
>> and provide services. The best practices for maximizing a physical
>> server's
>> connectivity to a physical network are well understood - see how these
>> rules translate into the virtual world?
>> http://p.sf.net/sfu/oracle-sfdevnlfb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
> Web Troubleshooting - If you think I deserve a rant, write me off-list
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list