Snort mailing list archives
Re: Best Enterprise Snort Configuration
From: Michael Boman <michael.boman () securecirt com>
Date: Thu, 13 Feb 2003 11:02:09 +0800
On Wed, Feb 12, 2003 at 05:30:19PM +0100, Saad Kadhi wrote:
On Wed, Feb 12, 2003 at 07:38:57AM -0800, tfandango wrote:So what snort-related tools do you guys like the best? I will probably try to use mySQL to start off with and log to a central database somewhere. But what tools are available to remotely manage the snort application, display the all sensor alerts in near realtime on some central console (I assume this will be something that polls the database), etc, etc.again, if you check the archives you'll find truckloads of answers but here is my go at your questions (that is, what I like to use on my environment so YMMV): - database: mysql - alert management (not "real time"): acid [1]
- If realtime (or very close to it): sguil [5][6]
- sensor configuration management: snortcenter [2]
- Or RMan[7], and soon in Sguil
- extra pieces: snort doesn't log directly to db. I use barnyard [3] instead. and stunnel [4] to ssl-tunnel data between sensor and central db
- Sguil requires barnyard, and I would say it's suicide to run db output without barnyard... your sensor would be too busy sending the alerts instead of detecting them. If you decide to run on Linux platform check out Phil Wood's libpcap patches[8] and this[9] email message explains how to run it ;)
that been said, I never tried ~60 sensors logging to a central db at the same time. cheers. -- [1] http://www.cert.org/kb/acid/ [2] http://users.pandora.be/larc/ [3] http://www.snort.org/dl/barnyard/ [4] http://www.stunnel.org/
[5] http://www.satexas.com/~bamf/sguil/ [6] http://sf.net/projects/sguil [7] http://rman.sf.net [8] http://public.lanl.gov/cpw/ [9] http://marc.theaimsgroup.com/?l=snort-users&m=103833873414252&w=2 Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
_bin
Description:
Current thread:
- Arguments for Snort tfandango (Feb 10)
- Re: Arguments for Snort twig les (Feb 10)
- Re: Arguments for Snort Shane Williams (Feb 11)
- Re: Arguments for Snort Paul Schmehl (Feb 11)
- Best Enterprise Snort Configuration tfandango (Feb 12)
- Re: Best Enterprise Snort Configuration Paul Schmehl (Feb 12)
- Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
- Re: Best Enterprise Snort Configuration twig les (Feb 12)
- Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
- Re: Arguments for Snort Paul Schmehl (Feb 11)
- Re: Best Enterprise Snort Configuration Saad Kadhi (Feb 12)
- Re: Best Enterprise Snort Configuration Michael Boman (Feb 12)
- Re: Best Enterprise Snort Configuration Joerg Weber (Feb 12)
- Re: Best Enterprise Snort Configuration Bennett Todd (Feb 12)