[Snort-users] New snort install question

Jason Haar Jason_Haar at ...15306...
Mon May 21 16:34:04 EDT 2012

On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:
> We have 50+ buildings on campus and the idea is to place a single
> snort box in each building and have it sniff the uplink traffic, then
> report back to our NAC system (Packetfence).  The goal was to be able
> to use some of our older desktops (Dell 960s) as kind of snort nodes
> with no keyboard, mouse or monitor. 
What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s
have PCIe buses and Ethernet cards to match, and do they have high-end
CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think
you may be expecting too much of the hardware?

> We would prefer to be able to manage all of these distributed snort
> boxes from a single place or at least from a web GUI on each box.
> #1. Am I way off base thinking about using snort this way?

Assuming I am correct about the uplink speeds, this is probably the best
way of doing it. The only other option would be to "collapse" those
uplinks into a single area and SPAN that - but then you're in the
10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
> #3. Am I missing something crucial that would make me look like an
> idiot when I go to set this up?
First question is always: "what are you trying to achieve"? Second is
"what is your budget" ;-). If you are wanting to protect your computers
from your computers, then you are on the right track. If you are trying
to protect your computers from "the Internet", then you're doing it
wrong - you only need one NIDS at the edge of your network.

Basically, lots of organizations use NIDS to monitor (LAN to) WAN or
Internet pipes, few use it to monitor (LAN to) LANs - it's just too
expensive and time-consuming (i.e there's a lot more exotic traffic
which leads to a lot more FPs)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list