Re: question on distributed snort collection

[Bamm Visscher <bamm () satx rr com>]

All my sensors run FreeBSD with IPSEC enabled. I have an FreeBSD IPSEC GW that all the sensors establish tunnels with. 
From there the data is routed to an internal network that consitsts of a central DB and GUI server. Any of us analyst 
can connect to the GUI server (either from the local net or an ssh tunnel), and manage events thru a GUI console. 
Although we use a proprietary interface right now, our plans are to move to sguil (http://sguil.sf.net - yeah, I 
plugged it again), in the future. The DB becomes the biggest hassle (we are using postgres currently, but mysql 
w/sguil). At one point I think we scaled to eight sensors inserting a few hundred thousand events and around 10 million 
connections/day.

Bammkkkk

On Wed, Jun 04, 2003 at 04:00:45PM -0400, Garrett.Allen () ser com wrote:
> i've gotten the pink beastie stable and am getting useful info out.  so far,
> so good.  now i would like to extend to remote locations.  is there a
> preferred means of doing this?  flat vs. tiered mom (mom = monitor of
> monitors)?  still in the planning phase and have time to test in the lab,
> but any shortcuts / recommendations are appreciated.
>
> thanks.
> garrett


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users