[TCLUG] Anyone running Snort?

Sun Jan 14 02:20:05 CST 2001

> Sounds like a great topic for a TCLUG meeting. Jay, you interested? If
> so, let me know.

It would be a great topic for a TCLUG meeting.  I'd be interested in giving
a small presentation as long as someone else helps me out.  A potential
client is doing a security audit later this month on one of my networks, so
I'll be getting some good data from snort when that happens.  

The earliest I'd be able to show anything would be March, as I'll be out of
the country in the beginning of Feb, and travelling most of the rest of the
month.  Does anyone else run it that would be interested in helping with a
presentation?

I've been using the 1.7 CVS versions lately.  I haven't upgraded any of my
sniffers to the release version yet.  I sniff ALOT of traffic with it, so I
have been seeing bugs with it alot.  I've reported everything I've found, so
hopefully the problems I was seeing before are fixed now.  Snort rules can
generate alot of false positives too.  When you're on a small network,
that's not really a big deal.  But when you're sniffing traffic to a site
that does around 160MBit/sec of traffic during the day, the false positives
turn into a BIG problem.  

I tried out a couple of other IDS systems, which cost anywhere from $10,000
to $30,000, and nothing was as flexible or usable as snort.  If you're
thinking about spending lots of money on something, don't.  Snort is much
better and much more flexible than every other solution I've seen.

Jay

> -----Original Message-----
> From: Clay Fandre [mailto:clay at fandre.com]
> Sent: Saturday, January 13, 2001 8:51 PM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] Anyone running Snort?
> 
> 
> Bob Tanner wrote:
> > 
> > > >I am looking for what type of resources a snort detector 
> consumes.
> > >
> > > Negligible. I can paste in whatever stats you want. But 
> it's quite minimal
> > > IMO.
> > 
> > Umm, how much traffic do you get :-)
> > 
> > What are the specs of the machine running snort?
> > 
> > IF you are switched network, what switches are you using?
> > 
> > IF you are switched network, I assume you are using port 
> mirroring, how is the
> > impact on the switch?
> > 
> > How many segments are you snorting? (Heh, insert favorite 
> drug line here)
> 
> Sounds like a great topic for a TCLUG meeting. Jay, you interested? If
> so, let me know.
> 
> Clay
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 