Snort mailing list archives
Snort Architecture and Managment
From: "Morris, Shane (US SSA)" <shane.morris () baesystems com>
Date: Fri, 31 May 2013 00:53:50 +0000
I currently have several Snort sensors spread across the world at different sites. Each sensor runs independently of the others; it's the basic Snort dumping to MySQL and an ArcSight connector pulling from the DB and shoveling the alerts into ArcSight. We support a growing 10K plus rule set. So each sensor has its own copy of Snort, MySQL and ArcSight Connector running. We are about to roll out many more sensors and this approach is not manageable so it needs to be re-architected and I'm looking for any and all suggestions from those who are already doing more. I'm going to implement Barnyard2 unless someone has a reason why I should stick with Barnyard. My plan is to have each sensor only running Snort and Barnyard2 and dumping to two managers (for redundancy). The managers will be running MySQL and the ArcSight connector will be running on a separate server and pulling from the DB. This way I only have to manage two databases and two connectors. I would also like to add a GUI so I was considering BASE to give my analysts a more robust tool to go through alerts and do some reporting. Questions 1. I'm currently running RedHat but am fluent in any flavor of Linux. Which is the most widely support OS for Snort and snort related apps? It seems like CentOS is very popular among Snort users. 2. Is there a way I can cache events on the sensors temporarily if the connection is lost between the sensor and the manager? 3. Are there better options for a GUI than BASE, I would even consider running two if there was enough value in both. 4. I'm looking for management tools for the sensors and the rules that I can run from the managers. 5. Any suggestions for managing large rules sets instead of one flat file. If I'm going to redo this thing I want to do it right. Thank you and any input is appreciated. -Shane
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Architecture and Managment Morris, Shane (US SSA) (May 30)
- <Possible follow-ups>
- Re: Snort Architecture and Managment Steven McLaughlin (May 30)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Joel Esler (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)