On Fri, 2 Jul 2004 10:32:45 -0400
Renaud Deraison <[EMAIL PROTECTED]> wrote:
>
>It's okay. You probably want to set "be_nice" to "yes" in
>nessusd.conf
>and set a negative niceness to the snort process to make
>sure you don't
>miss intrusion attempts while you're doing your scan.
>
>
Currently running approx. 20 "Security Devices" within a
corp network. Each device is dual CPUs and 2 gig ram. They
run snort, snort_inline (in bridged mode) nessus, nmap, and
many other security tools. I built an autoyast image for
these since they are SuSE 9.1 (was 9.0) and we can build
these things in less than an hour. Oh, NTOP monitors the
bridged connections for traffic monitoring. The Snort
instances tie back to SQUIL and OpenAANVAL as well as ACID
on a box in a protected area. In addition some of the
systems have honeyd running on them/beside them. Makes for
a very nice setup. Everything is monitored with
BigSister...
The only issue was setting up the bridged ports with IPs so
Nessus ran right. This was easy by putting a plugin that
kicked off when you started a scan and gave the bridged
connection an IP address which the scans would run, and
then remove it at the end so it was back to being
transparent.
The biggest hog is of course snort_inline, but on
connections pumping a full 100 meg through, we see about
10% cpu usage and with nessus running it jumps to 15-20%.
On some systems, the bridged connections have quad set of
cards for failover and load balancing. Beats the
commercial stuff hands down.
Currently looking at Tenable Lightning Console to tie it
all back together with Snort and Nessus to make for one
complete package.
Bottom line answer to the question - it works and itworks
quite well!
ciao
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
