[Snort-users] New snort install question

Sallee, Stephen (Jake) Jake.Sallee at ...15646...
Mon May 21 17:19:34 EDT 2012

Jason, thank you for your response.

> What are the uplinks?

The uplinks are 1Gb.  The idea would be to span a port on the switch and let the snort box passively analyze that traffic with a separate link on the snort box for management and reporting.  We are thinking that this would be the easiest way to sniff our traffic yet keep the box out of band.  That way even if it does get bogged down it won't introduce latency into the network.

> ... do they have high-end CPUs...

Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 Gb NIC.

Does that sound sufficient for real time monitoring?  We are not interested in historical reporting right now as we are planning on sending the events to a syslog server and our NAC.

> ... what are you trying to achieve...

We are indeed trying to protect our LAN from internal threats.  We have a well-protected internet facing edge but as a university we have a few thousand non-university owned assets that access our network every day.  Once these devices are on my network they have bypassed my armored edge and are able to poke away at my soft belly ... I don't like that.

> ... what is your budget...

: ) effectively $0.00

> Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's >just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs)
That's why we are thinking of taking a cautious approach and not enabling bunch of rules to start with.  We would only enable rules that we are comfortable with and would pilot them on a subset of our population first ... this is of course in a perfect world.

The main reason that we are looking into this is because we are effectively an ISP for our users and while our internet facing edge is protected our internal network is largely way too trusting.  Since we have adopted a BYOD stance we have to regard our internal network as having the same hostility as the internet, simply because the same devices that are out there are being brought in here... and it's a scary, scary world out there!

I would greatly appreciate any suggestions and or feedback any users have. Thank you.

Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

900 College St.

Belton TX. 76513

Fone: 254-295-4658

Phax: 254-295-4221


-----Original Message-----
From: Jason Haar [mailto:Jason_Haar at ...15306...]
Sent: Monday, May 21, 2012 3:34 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New snort install question

On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:


> We have 50+ buildings on campus and the idea is to place a single

> snort box in each building and have it sniff the uplink traffic, then

> report back to our NAC system (Packetfence).  The goal was to be able

> to use some of our older desktops (Dell 960s) as kind of snort nodes

> with no keyboard, mouse or monitor.




What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s have PCIe buses and Ethernet cards to match, and do they have high-end CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think you may be expecting too much of the hardware?

> We would prefer to be able to manage all of these distributed snort

> boxes from a single place or at least from a web GUI on each box.




> #1. Am I way off base thinking about using snort this way?


Assuming I am correct about the uplink speeds, this is probably the best way of doing it. The only other option would be to "collapse" those uplinks into a single area and SPAN that - but then you're in the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)


> #3. Am I missing something crucial that would make me look like an

> idiot when I go to set this up?




First question is always: "what are you trying to achieve"? Second is "what is your budget" ;-). If you are wanting to protect your computers from your computers, then you are on the right track. If you are trying to protect your computers from "the Internet", then you're doing it wrong - you only need one NIDS at the edge of your network.

Basically, lots of organizations use NIDS to monitor (LAN to) WAN or Internet pipes, few use it to monitor (LAN to) LANs - it's just too expensive and time-consuming (i.e there's a lot more exotic traffic which leads to a lot more FPs)



Jason Haar

Information Security Manager, Trimble Navigation Ltd.

Phone: +1 408 481 8171

PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:


Snort-users list archive:


Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/c357671e/attachment.html>

More information about the Snort-users mailing list