1- The nodes are endpoints (desktops and laptops connected in lan and using shared internet) 2- They are behind NAT 3- They are for one primary user each. 4- These nodes are deployed in our university labs so there is no internet exposed service.
On Wed, Sep 20, 2017 at 3:55 PM, [email protected] <[email protected]> wrote: > Okay, so I have some more questions then, but I'm still not sure how > helpful I can be. Maybe someone else with a similar environment can chime > in. > > These nodes, are they servers or endpoints (laptop/desktops used for > productivity - internet use, email, etc.)? Are they behind network > firewalls or NAT, or are they exposed? Are they shared machines or one > primary user each? If there are any internet exposed services, what are > they? > > Jon > > On Wed, Sep 20, 2017, 06:50 Syed Hammad Tahir <[email protected]> > wrote: > >> Actually I need to forward the specs for my IT department as soon as >> possible, I was thinking to get a rough idea. >> Regards. >> >> On Wed, Sep 20, 2017 at 3:43 PM, [email protected] <[email protected]> >> wrote: >> >>> This is very much something Metron can do, but scoping hardware requires >>> more detail about the data and work to be done on the data. I would focus >>> on setting up the sensors (custom IDS, snort) and then either gather >>> metrics and scope Metron or just spin it up by default/with whatever you >>> have and see how it works. >>> >>> Jon >>> >>> On Wed, Sep 20, 2017, 06:23 Syed Hammad Tahir <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> 1- I want to focus more on real time analysis but lets say we start >>>> with pcap dump, I dont know at this point that how much data it can dump in >>>> 24hr period given the lan environment of 100 nodes. You can assert your >>>> assumption to answer. >>>> >>>> 2- Snort data most probably and dont know about the nukber of events >>>> yes. You can also assert your assumption here for a hypothetical scenerio >>>> to guide me. >>>> >>>> 3- I want to build an intrusion detection system and apply some machine >>>> learning algorithm on it so Guess profiling is the answer to the third >>>> question. >>>> >>>> Based on those partial answers and your insight into this domain, >>>> kindly reply with most suitable solution with assumptions where necessary. >>>> >>>> If you think that I am expecting something from metron which it cant do >>>> then kindly let me know. >>>> >>>> Regards >>>> >>>> Regards. >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Sep 20, 2017 at 3:11 PM, [email protected] <[email protected]> >>>> wrote: >>>> >>>>> Full dev is intended for testing, not actual use. That said, to >>>>> answer your question it is more important to know (1) will you be storing >>>>> pcap, (1b) if so, how much per day and for how long, (2) what data will >>>>> you >>>>> be sending into Metron (bro, yaf, snort, asa, etc.) and how many events >>>>> per >>>>> second is it, and (3) what are you planning to do with the data >>>>> (profiling, >>>>> MaaS, enrichments, etc.)? >>>>> >>>>> Jon >>>>> >>>>> On Wed, Sep 20, 2017, 04:04 Syed Hammad Tahir <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> What would be the system required in order to run metron and analyzy >>>>>> a LAN environment of almost 100 nodes using single node full development >>>>>> depoloyment. >>>>>> >>>>>> Regards. >>>>>> >>>>> -- >>>>> >>>>> Jon >>>>> >>>> >>>> -- >>> >>> Jon >>> >> >> -- > > Jon >
