Snort mailing list archives

Deploying snort - Feedback reqd

From: Shane Machon <shane () twoplums com au>
Date: Wed, 10 Oct 2001 10:12:40 +1000

Greetings,

I am fairly new to snort, after running it up on some development
servers I see its massive potential for our network servers. 

Im looking for feedback or case studies from people who have this sort
of scenario:

Ive got 6 sensors that I want to run snort on, and report to a central
system (either db or syslogd).

I just have some simple questions would like some feedback on.

1. Im guessing (very roughly) I would get aproximately 100+ alerts per
remote server per day (This is almost impossible to guess as snort is
not running on these machines yet). How much traffic would this generate
on the remote computer? (Traffic comes at a cost ;)
Are we just talking kilobytes of data or potentially megabytes of data?
Is there some sort of calculation that I could use to work this out
based on the approximation above (average bytes sent to a db for each
attack)?

2. What is the best way of analysing the data? Would ACID be the best
solution (based on there only being 1 Sysadmin to maintain all these
servers)? Or has anyone run an email type solution that uses syslog and
other programs (like logcheck perhaps) to send the sysadmin messages
when the alert file is updated?

I hope many others have been in this situation, and I hope that these
people can provide me with their success stories on deploying snort.

Cheers,

SHANE MACHON
Network Administrator
Technical Project Manager
Two Purple Plums Pty Ltd.
TPP Internet Development 
(NetNames Australasia) 

  PO Box 334, Manly 
  NSW, 1655, Australia 
  Tel. +61 2 9970 5242 
  Fax. +61 2 9970 8262 
  Eml. shane () twoplums com au 

    ========================================== 
    TPP Internet Development (NetNames Australasia) 
    The International Domain Name Registry 
    Registering Domain Names in over 200 countries 
    http://www.netnames.com.au 
    http://www.internetdevelopment.com.au 
    http://www.twoplums.com.au 
    ==========================================

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Deploying snort - Feedback reqd Shane Machon (Oct 09)
- Re: Deploying snort - Feedback reqd Chuck Morford (Oct 10)
- <Possible follow-ups>
- RE: Deploying snort - Feedback reqd Fraser Hugh (Oct 10)