Re: Capturing and analyzing data on different honeywalls

["Frank S Posluszny, III" <fsp () mitre org>]

Haven't done that myself, but I would think it'd just be copying over
the right config files, and then transferring updates to the database
and pcap files as needed.

This page looks like it might be helpful:
  http://www.cs.indiana.edu/~cviecco/distributed_roo/index.html
A little more involved than you want, but should give you the technical
details of what needs mimicking.

-fsp

Stefan Kelm said the following on 6/19/2006 8:01 AM:
> List,
>
> I'm about to set up a 1.0 Honeywall at a client site.
>
> However, I will only be using that HW to collect the data
> which will then be analyzed on a local (identical) HW. Since
> transferring the data over the Internet is not an option, and I
> want to use walleye, it should be sufficient to completely copy
> the /var/log/ directory to my analyzing station, or am I
> missing something here? Maybe /hw/conf/ needs to be
> copied as well?