[Snort-users] New snort install question

livio Ricciulli livio at ...15149...
Mon May 21 21:27:29 EDT 2012


On 05/21/2012 02:19 PM, Sallee, Stephen (Jake) wrote:
>
> Jason, thank you for your response.
>
> > What are the uplinks?
>
> The uplinks are 1Gb.  The idea would be to span a port on the switch 
> and let the snort box passively analyze that traffic with a separate 
> link on the snort box for management and reporting.  We are thinking 
> that this would be the easiest way to sniff our traffic yet keep the 
> box out of band.  That way even if it does get bogged down it won't 
> introduce latency into the network.
>
Good plan. Power supplies always go; it is not a question of if, it is a 
question of when..
>
> > ... do they have high-end CPUs...
>
> Intel core i3 @ 3.2Ghz, 4 GB DDR3 RAM @ 10666, 300 GB SATAII HD, 2 x 1 
> Gb NIC.
>
> Does that sound sufficient for real time monitoring?  We are not 
> interested in historical reporting right now as we are planning on 
> sending the events to a syslog server and our NAC.
>
As a back of the envelope calculation. If you use PF_RING (to run 3-4 
snort processes in parallel on you 3-4 hyperthreads), roughly, you will 
be able to monitor 100-300 Mbps with ~6000 rules.
See www.*snort*.org/assets/186/*PF_RING*_*Snort*_Inline_Instructions.pdf
>
> > ... what are you trying to achieve...
>
> We are indeed trying to protect our LAN from internal threats.  We 
> have a well-protected internet facing edge but as a university we have 
> a few thousand non-university owned assets that access our network 
> every day.  Once these devices are on my network they have bypassed my 
> armored edge and are able to poke away at my soft belly ... I don't 
> like that.
>
You are smart.. Internal monitoring can be challenging because of the 
rule tuning required; but it is also very important in my opinion. Today 
smart phones/ laptops traverse firewalls every day; so perimeter 
defenses are getting obsolete.. You are going to need a good event 
management system..

> -----Original Message-----
> From: Jason Haar [mailto:Jason_Haar at ...15306...]
> Sent: Monday, May 21, 2012 3:34 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New snort install question
>
> On 22/05/12 07:37, Sallee, Stephen (Jake) wrote:
>
> >
>
> > We have 50+ buildings on campus and the idea is to place a single
>
> > snort box in each building and have it sniff the uplink traffic, then
>
> > report back to our NAC system (Packetfence).  The goal was to be able
>
> > to use some of our older desktops (Dell 960s) as kind of snort nodes
>
> > with no keyboard, mouse or monitor.
>
> >
>
> >
>
> >
>
> What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s 
> have PCIe buses and Ethernet cards to match, and do they have high-end 
> CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I 
> think you may be expecting too much of the hardware?
>
> > We would prefer to be able to manage all of these distributed snort
>
> > boxes from a single place or at least from a web GUI on each box.
>
> >
>
> >
>
> >
>
> > #1. Am I way off base thinking about using snort this way?
>
> >
>
> Assuming I am correct about the uplink speeds, this is probably the 
> best way of doing it. The only other option would be to "collapse" 
> those uplinks into a single area and SPAN that - but then you're in 
> the 10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
>
> >
>
> > #3. Am I missing something crucial that would make me look like an
>
> > idiot when I go to set this up?
>
> >
>
> >
>
> >
>
> First question is always: "what are you trying to achieve"? Second is 
> "what is your budget" ;-). If you are wanting to protect your 
> computers from your computers, then you are on the right track. If you 
> are trying to protect your computers from "the Internet", then you're 
> doing it wrong - you only need one NIDS at the edge of your network.
>
> Basically, lots of organizations use NIDS to monitor (LAN to) WAN or 
> Internet pipes, few use it to monitor (LAN to) LANs - it's just too 
> expensive and time-consuming (i.e there's a lot more exotic traffic 
> which leads to a lot more FPs)
>
> --
>
> Cheers
>
> Jason Haar
>
> Information Security Manager, Trimble Navigation Ltd.
>
> Phone: +1 408 481 8171
>
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ------------------------------------------------------------------------------
>
> Live Security Virtual Conference
>
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. 
> Discussions will include endpoint security, mobile security and the 
> latest in malware threats. 
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net>
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/412b4e39/attachment.html>


More information about the Snort-users mailing list