Installing Snort to protect against internal floods

We run several dedicated boxes inside our network. Our biggest problem lately is network-wide floods from internal dedicated boxes that become compromised. The floods usually takedown everything, as we don't utilize VLANS.

When we find the flooder within a few minutes, we disconnect the server and all-is-well again.

I'm looking for any suggestions to help take care of this issue.

We've got a box we're installing SNORT on, to test this out on battling flooding and to have a true IDS.

Does anyone have SNORT installed and configured in a shared and dedicated hosting environment? We're really not sure how we should config.

If we should place it as a portmaster or as a device between our router and core switch.. Any suggestions appreciated!!!

 

 

 

 

Top