Can anyone tell me a thing or two about Snort?

Originally posted by g333
Can anyone tell me a thing or two about Snort?

What do you want to know? (have you read the website?)

Look at subject.

hehe

Thanks,
Michel Barker

Originally posted by g333
Look at subject.

hehe

Thanks,
Michel Barker

It works :-)

(although be prepared to get some false-positives until you have tweaked the rules for your setup)

Yep, I agree. Works great but you must tweak the rules for your site.

Snort basically looks the the network packets comming into your box (or boxes) and checks them agains a set of rules. Then depending on how you have things configured, it will write alerts and log the packets for you to look at.

A nice program to go with it is SnortSnarf (http://www.silicondefense.com/software/snortsnarf/) that formats the alerts into a easy to use webpage.

Frank

Demarc is also a great tool to use with Snort (actually, I think Snort comes with the Demarc distribution). It provides a great interface to the Snort data.

Note that if you are using a switch as opposed to a hub (which I assume most people are), you are going to have to configure your switch a certain way in order to get all traffic mirrored to the port of the server on which you are running snort. Otherwise you are only monitoring traffic that was sent to that one server (of course, that may be what you wanted to do all along--I don't know).

Demarc used to be a great free product (for us little guys). Now it's like 1600 USD, so it's prob. not a great alternative for a lot of people.

The only other problem with Demarc is that you must log to a mysql db. On a busy server, this can put quite a bit of strain on mysql.

Frank

Originally posted by ffeingol
Demarc used to be a great free product (for us little guys). Now it's like 1600 USD, so it's prob. not a great alternative for a lot of people.

The only other problem with Demarc is that you must log to a mysql db. On a busy server, this can put quite a bit of strain on mysql.

Frank

Yes, the new pricetag is a bit boring :-(

It's not my experience that it is MySQL that strains the server - we have the problem that snort is taking up too much CPU time. For example at 600 kb/s it's taking up almost 30%-40% ...

I don't know if it's a bug or something like that...

Holy smokes.. you're right:
Unix Console with a Network Segment License $2350.00

That's a bit more expensive than "free" :)

However to a company managing their own network, it would probably be worth the investment.

Originally posted by jks


Yes, the new pricetag is a bit boring :-(

It's not my experience that it is MySQL that strains the server - we have the problem that snort is taking up too much CPU time. For example at 600 kb/s it's taking up almost 30%-40% ...

I don't know if it's a bug or something like that... Well, considering that it has to examine each packet that comes into your server (and 600k/sec is a relatively high amount of traffic), you can expect it to require a bit of CPU. We have a system configured to watch all traffic on our network, and the load hangs at about 1.0 all day. I believe that Snort will only examine as much traffic as will completely utilize the CPU, and discard traffic that would push it over that limit--but don't quote me on that. :)

But in other words, you should be able to run Snort on a P3 1GHz and have it "monior" 10 megs of traffic... but it probably won't process every packet that it receives.

Originally posted by jks

It's not my experience that it is MySQL that strains the server - we have the problem that snort is taking up too much CPU time. For example at 600 kb/s it's taking up almost 30%-40% ...


Are you running snort in the "fast" mode (i.e. -b -A fast)?

Frank

The program is quite good.

I have used snort for quite some time. I love it. There is probably no other open source Network Intrusion software that compares to the robustness (probably not a word ;) ) that snort has to offer. Coupled with acid (or even SnortSnarf), I think you can develop a pretty good sniffer/manager package to stop the bad people.

Keeping on snortin' with acid :)

Regards,

Jeff