Distributing Traffic to Multiple Sensors
If you are deploying an IDS at a large organization, there is a good chance that you will be faced with a situation where you will need to monitor network traffic at a single location, and that traffic will exceed the theoretical capacity of a lone Snort sensor. In high-bandwidth situations, it is tempting to tune Snort by trimming a large quantity of rules from the ruleset so that a single sensor can accommodate the rush of traffic. It is equally tempting to turn off preprocessors that generate non-critical alerts, such as portscan2. Although these actions are better than dropping packets or not monitoring at all, there are solutions that allow the sensor to remain in its most potent form.
Large organizations ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
