[Snort-users] Snort Deployment Configurations

Martin Holste mcholste at ...11827...
Mon Feb 7 13:36:31 EST 2011

> Most of the time, this process will lead to the deployment of many
> (smaller) sensors versus one sensor to rule them all. I expect dollars
> and perceived simplicity drive the "one sensor" mentality, but in my
> experience, it's at the cost of reduced ability to detect and respond
> to security incidents.

Agree--that's why I recommend getting a mature logging framework up
and running before trying to do IDS in the data center.  Centralized
logging is somewhat like having a little IDS in front of every server.
 The main advantage being that you get business logic layers that are
impossible or difficult to get from the network.  That said, logging
won't do much good unless you've got it on verbose output.  For
Windows servers, turning on file modification/create logging and using
something evtsys (code.google.com/p/eventlog-to-syslog) to bulk
forward everything to a central repo is a pretty big win.  Once that
low-hanging fruit is out of the way, then you can worry about
installing and tuning all of the appropriate IDS's, which is a much
larger task if you do it in a meaningful way.

More information about the Snort-users mailing list