North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Using snort to detect if your users are doing interesting things?
Title: Re: Using snort to detect if your users are doing interesting things?
And when you do set up such an arrangement, depending on the number of rules you turn on, you can generate truly massive volumes of data to be analyzed by ACID or other tools. It is relatively easy to deploy snort for large volume, small number of rules type deployments. Aside from scaling the collectors and management console themselves, it can even be a challenge to aggregate all that data in a WAN deployment.
IDS has to be aimed carefully and then fired. And then one needs to ask what the derived value is, and just how you’re going to deal with the info. The latter being a magnificent operational challenge.
Or that’s at least been my experience. YMMV.
On 6/9/05 1:31 PM, "Jordan Medlen" <[email protected]> wrote:
We just finished deploying a Snort IDS system on our network. The task of doing so was well worth the effort, and quite a bit of effort and resources were needed for our deployment. Due to the fact that we have a sustained 5Gbps of traffic to monitor in our Tampa data center alone, a simple server running Snort was just not going to cut it and rather than deploying off of our core routers in Tampa, which would catch inbound and outbound traffic, we decided after our testing that placing our tap points on our core routers was just not going to be sufficient due to the amount of abuse we saw in testing between customers in our facility. We decided to build a single server for each of our distribution switches at all of our locations that would communicate to a central server running the ACID console. This deployment has allowed us to gather so much information about what *TRULY* is and has been going on, that we wonder why we didn’t do this sooner.
"The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers." 118