Intrusion detection was a high priority for the Notre Dame Information Security Department when it was created about a year and a half ago. The university's Responsible Use Policy contains a clause that codifies the university's right to "inspect and examine any Notre Dame owned or operated communications system, computing resource, and/or files or information contained therein at any time," enabling us to implement an intrusion detection system (IDS) with no resistance.
We evaluated the top commercial and open source network intrusion detection system (NIDS) products, including Snort. Ultimately, we found that the best fit was multiple Snort sensors managed using SnortCenter, with MySQL for data storage and ACID for display and reporting.
We have eight Snort sensors, each running Red Hat Linux on dual processor Xeon machines with 1.5GB of RAM and nominal hard drive space. Each sensor has two network interface cards: one read-only for listening (fed by spanning ports on a given switch), and another for sensor management. Although SnortCenter is a little rough around the edges in terms of its interface (see Figure 1), it enables us to manage all eight sensors in a centralized fashion. We perform OS patching and configuration manually with some automation using Red Hat's up2date utility via the Red Hat Network .
Our Analysis Console for Intrusion Databases (ACID) database runs on a four processor Xeon with 4GB of RAM and 300GB of storage capacity (RAID 1 and RAID 5 arrays, respectively). This was easily the most expensive component of our IDS solution; what we spent was similar to the cost of a commercial sensor and database, but with eight times the sensing ability.
| 
