Re: Central Server

[Brent Bice <bbice () sgi com>]

    Look under "3rd Party Projects".  There's a bunch of different 
things there but some of 'em are related to what you're after. In 
particular, you'll want barnyard2 (to read the snort unified files and 
then log to one or more central systems) and maybe snorby.

    I used snorby until recently. I'd upgraded barnyard2 (for better 
syslog'ing of snort stuff), then found snorby was having problems. I 
grabbed a newer snorby which was going to need a newer ruby and the 
newer ruby had other pre-reqs and I was going to wind up having to 
upgrade the entire OS of my snorby server.

    Anyway, at that point, I tossed snorby just because I had a new 
alternative. I'd recently built a distributed log server on 
elasticsearch and kibana (which was why I wanted the newer barnyard2) 
and now I just use kibana and my dandy new log system to look through 
snort alerts. The log system isn't really packaged up 'n polished yet 
(the syslog daemon written in NodeJS is somewhat SGI-specific still) or 
I'd spin up a site for it and ask it to be added to the 3rd party list 
but for the curious, take a peek at:

https://www.youtube.com/watch?v=NW9-AgmUi_o (skip to 1:40 if you want to 
skip to where I used it to find a bot-infection start)

    Skip to 8:10 if you want to see just snort-related stuff.

    Anyway, I point all that out only to encourage you to consult google 
also. With Barnyard2 there's LOTS of options for what you can do with 
the snort alerts and how to store them and LOTS of options for then 
analyzing/searching those alert stores.  Different people will have 
different ideas of what options are important to them so I'd recommend 
trying several out before you decide which one (or maybe more than one) 
will be the best for your needs.

Brent


On 11/16/2016 10:08 PM, Eric J. Taylor wrote:
> Good day,
>
> Hope all is well with everyone. New to sort and the ids/ips world, but
> looking forward to have more secure network(s).
>
> I hope this is a easy answer to my question today. Been reading through
> the docs, and I see no mention about having a central server for
> multiple loctions. The locations are not joined in any fashion, as in
> seperate companies all together. If I was put a central snort box and
> connect the firewalls (mostly mikrotik) to the central server, is there
> any special gotchas or considerartions I need to review? I also don't
> know how much traffic is really sent over the WAN for analisis either.
> As a couple of sites use the same subnet schema, I will have to consider
> some changes at the locations to support IPSec from remote site to
> central server; if IPSec between locations is recommended.
>
> And please, if I am over looking this part in the documents please point
> me to it as I don't see it currently.
>
> Thanks in advance for your time and helpfulness as I try to figure this
> puzzle out.
>
>
>
> P.S. Any grammar or humorous statements is courtesy of Android.
>
>
> Eric Taylor
> Owner | Veterinary IT Support Specialist
> 800-324-9941 x1005
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!