Re: Snort Questions

From: Kurt Seifried (bugtraq@seifried.org)
Date: 09/25/01

• Previous message: Stacy M. Williams: "Snort Questions"
• In reply to: Stacy M. Williams: "Snort Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <013301c14550$c161d900$6400030a@seifried.org>
From: "Kurt Seifried" <bugtraq@seifried.org>
To: "Stacy M. Williams" <stacy.williams@hellonetwork.com>, <focus-ids@securityfocus.com>
Subject: Re: Snort Questions
Date: Mon, 24 Sep 2001 17:29:26 -0600

> I am considering using Snort within my environment to justify the need for
a
> full-scale intrusion detection process. I've heard more and more about
> people using Snort with varying levels of success, and it has peaked my
> curiosity to the point that I'm considering using it as my test bed.
>
> I have a couple of questions for those that have used this product with
> moderate success:

A lot of us have used it with more then moderate success =).

> 1. Where are the best places within the network to place the sensors, or
> where
> are most sensors placed?

Depends what you want to detect. Placement of sensors on the "edge" (i.e.
outside firewalls) will detect a lot of attempts and is good for generating
base lines of activity. Placement inside the firewall will detect attacks
that made it through and are nor careening around your systems. Placement
between servers and internal client machines can help detect internal
attacks. And so on.

> 2. What type of network degradation, if any, has been noticed or can be
> expected?

Well it passively takes in traffic and analyzes it. Unless your switches
have serious problems mirroring a port or you are loading snort on
production systems it shouldn't be an issue.

> Thanks for the help.
>
> Stacy M. Williams
> helloNetwork, Inc.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

---

• Previous message: Stacy M. Williams: "Snort Questions"
• In reply to: Stacy M. Williams: "Snort Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Snort Questions ... Subject: Snort Questions ... using Snort with varying levels of success, and it has peaked my curiosity ... What type of network degradation, if any, has been noticed or can be ... (Focus-IDS) Re: High availability design of NIDS ... I worked with snort, coupled with adodb, acid ... >> I am now designing an NIDS solution. ... >> both sensors can listen to all traffics in the network). ... But it runs under Linux. ... (Focus-IDS) US-CERT Technical Cyber Security Alert TA05-291A -- Snort Back Orifice Preprocessor ... Snort Back Orifice Preprocessor Buffer Overflow ... * Sourcefire Intrusion Sensors ... Other products that use Snort or Snort components may be affected. ... (comp.security.announce) snort vulnerability ... > Snort Back Orifice Preprocessor Buffer Overflow ... > * Sourcefire Intrusion Sensors ... > Other products that use Snort or Snort components may be affected. ... An attacker could exploit this vulnerability by ... (comp.os.linux.security) RE: Best IDS ? ... Best thing about snort is now easy it is to deploy new sensors when ... You can reuse retired hardware (depending on the network) so no ... Maybe I'm just a snort fan but hey I always push snort. ... Cc: security basics ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-09