Re: Snort Deployment Configurations

[Bamm Visscher <bamm.visscher () gmail com>]

MRTG is more about presenting "flows in motion" while netflow data is
more versatile. I've seen it used for analysis of "flows in motion" as
well as "flows at rest".

I previously tweeted some thoughts about "flows at rest" versus "flows
in motion" with the intention of publishing a more in depth discussion
later. Never happened, but here is a gist of what I was trying to get
across:

Analysing "flows in motion" is usually statistical analysis of point
in time data or an aggregation of a flow attribute over a period of
time. For example, bandwidth on date A was X compared to date B when
it was Y.

"Flows at rest" are more about the attributes of a single hosts itself
or possibly comparing attributes. Examples would be show which hosts
talked to newly identified host Y in the past X days or which host
compromised asset A talked to in the past B days. Another would be
comparing the number of bytes sent in a single flow versus the number
of packets received.

BTW, I tend to prefer SANCP to collect data in a format more conducive
for analysing "flows at rest".

Bamm


On Sun, Feb 6, 2011 at 10:38 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
> On 02/04/2011 04:11 PM, Martin Holste wrote:
> > I currently run Snort in multiple configurations on the gateway, but I
> > used to run it between servers and clients in the data center.  This
> > proved to be a total waste of time--the amount of traffic that needs
> > to be inspected combined with the massive amount of false positives
> > proved to be ineffective for useful intel for the amount of effort
> > required.  For monitoring the inside of the network, I recommend a
> > strategy of Netflow, firewall logs, and server logs before you start
> > trying IDS on that amount and kind of traffic.
> Just as an aside: have you ever found a practical use for NetFlow beyond
> detecting saturated pipes? e.g. like seeing spikes and tracking that
> back to something "bad" that *wasn't* a DoS tool? I just wonder if using
> mrtg to monitor for saturation would do 99.9% of what people actually
> use NetFlow for... On large networks, NetFlow basically makes graphs of
> traffic going up and down - you can get per-port if you're lucky. But
> the complexity of real networks just makes me think detecting "bad
> things" beyond DoS tools isn't really plausible?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users