Chapter 6. Deploying Snort

Deploying an NIDS presents an administrator with some real challenges (apart from attempting to find a rational explanation for management on the return on investment for a security project). Installing and getting Snort up and running is just the beginning. You need to figure out what you want to watch, how you can watch it, and how to get meaningful information out of your effort.

Many of the obstacles to your NIDS deployment efforts are not technical at all. You might have to convince management that intrusion detection has value on par with the dollars and labor involved. Another, sometimes unforeseen issue is that an organization may have separate departments for network, server, and security administration—and communication between the groups may be poor.

Snort makes meeting these challenges a bit easier. Snort is free and will run on relatively low-cost hardware (it's unreal how inexpensive memory and disk have become!). The initial installation and configuration of Snort is fairly straightforward, and you can use my experiences and advice in this book (and the available support of the open source community surrounding Snort) to aid in the ongoing maintenance and administration of your IDS installation. While Snort won't magically get your different departments talking to one another, Snort sits as a passive listener on the network, needing little cooperation with the other departments to get installed and running. Once you call the server guys with notification that they may be suffering a security breach and it is confirmed, you will see communication improve quickly.

Spending time and care on the installation, initial configuration, and placement of Snort will reduce false positives, improve performance, and ensure that you are watching what is important. Let's look at the nontechnical challenges to deploying an NIDS (Snort, specifically) and then dive into the technical issues.