Snort mailing list archives
Re: Advice on IDS across WANS
From: Graxius <graxius () gmail com>
Date: Mon, 20 Sep 2004 15:40:37 -0500
What can you people on this list advise so that i can read all logs from all 5 machines from a console machine in SiteA on the best secure way, and if possible with snort report.
You could use a barnyard solution. Using Barnyard you could have all your sensors log in binary format and have a script scp everything off the sensors to the analyst box. Then have barnyard process the files. Several well documented solutions talk about this subject so I am not going to reproduce it. This would allow you to place a sensor anywhere and use SSH as the tunnel. If you really wanted to get crazy you could use TCPDump and scp the raw traffic but that would not be efficient unless you wrote some good filters. The Shadow IDS project is based around TCPDump and the above method. It is how I got started with it and a good place to begin. Also check out Bill Stearns' SSH-Keyinstall. This app takes almost all the head-ache out of SSH-key based authentication for scripts. Some great resources: http://www.stearns.org/ssh-keyinstall/ Bill Stearns' SSH-Keyinstall http://sguil.sourceforge.net/ Great front end http://www.sans.org/rr/catindex.php?cat_id=30 Great source of papers on IDS http://www.nswc.navy.mil/ISSEC/CID/ Shadow IDS Home Page Mileage may vary and these are my opinions ;) Respectfully, Rich ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Advice on IDS across WANS Patrick Marquetecken (Sep 20)
- Re: Advice on IDS across WANS Graxius (Sep 20)