Okay, so I have some more questions then, but I'm still not sure how helpful I can be. Maybe someone else with a similar environment can chime in.
These nodes, are they servers or endpoints (laptop/desktops used for productivity - internet use, email, etc.)? Are they behind network firewalls or NAT, or are they exposed? Are they shared machines or one primary user each? If there are any internet exposed services, what are they? Jon On Wed, Sep 20, 2017, 06:50 Syed Hammad Tahir <[email protected]> wrote: > Actually I need to forward the specs for my IT department as soon as > possible, I was thinking to get a rough idea. > Regards. > > On Wed, Sep 20, 2017 at 3:43 PM, [email protected] <[email protected]> > wrote: > >> This is very much something Metron can do, but scoping hardware requires >> more detail about the data and work to be done on the data. I would focus >> on setting up the sensors (custom IDS, snort) and then either gather >> metrics and scope Metron or just spin it up by default/with whatever you >> have and see how it works. >> >> Jon >> >> On Wed, Sep 20, 2017, 06:23 Syed Hammad Tahir <[email protected]> >> wrote: >> >>> Hi, >>> >>> 1- I want to focus more on real time analysis but lets say we start with >>> pcap dump, I dont know at this point that how much data it can dump in 24hr >>> period given the lan environment of 100 nodes. You can assert your >>> assumption to answer. >>> >>> 2- Snort data most probably and dont know about the nukber of events >>> yes. You can also assert your assumption here for a hypothetical scenerio >>> to guide me. >>> >>> 3- I want to build an intrusion detection system and apply some machine >>> learning algorithm on it so Guess profiling is the answer to the third >>> question. >>> >>> Based on those partial answers and your insight into this domain, kindly >>> reply with most suitable solution with assumptions where necessary. >>> >>> If you think that I am expecting something from metron which it cant do >>> then kindly let me know. >>> >>> Regards >>> >>> Regards. >>> >>> >>> >>> >>> >>> On Wed, Sep 20, 2017 at 3:11 PM, [email protected] <[email protected]> >>> wrote: >>> >>>> Full dev is intended for testing, not actual use. That said, to answer >>>> your question it is more important to know (1) will you be storing pcap, >>>> (1b) if so, how much per day and for how long, (2) what data will you be >>>> sending into Metron (bro, yaf, snort, asa, etc.) and how many events per >>>> second is it, and (3) what are you planning to do with the data (profiling, >>>> MaaS, enrichments, etc.)? >>>> >>>> Jon >>>> >>>> On Wed, Sep 20, 2017, 04:04 Syed Hammad Tahir <[email protected]> >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> What would be the system required in order to run metron and analyzy a >>>>> LAN environment of almost 100 nodes using single node full development >>>>> depoloyment. >>>>> >>>>> Regards. >>>>> >>>> -- >>>> >>>> Jon >>>> >>> >>> -- >> >> Jon >> > > -- Jon
