Snort mailing list archives
Re: Central Server
From: Brent Bice <bbice () sgi com>
Date: Thu, 17 Nov 2016 08:23:10 -0700
Look under "3rd Party Projects". There's a bunch of different things there but some of 'em are related to what you're after. In particular, you'll want barnyard2 (to read the snort unified files and then log to one or more central systems) and maybe snorby. I used snorby until recently. I'd upgraded barnyard2 (for better syslog'ing of snort stuff), then found snorby was having problems. I grabbed a newer snorby which was going to need a newer ruby and the newer ruby had other pre-reqs and I was going to wind up having to upgrade the entire OS of my snorby server. Anyway, at that point, I tossed snorby just because I had a new alternative. I'd recently built a distributed log server on elasticsearch and kibana (which was why I wanted the newer barnyard2) and now I just use kibana and my dandy new log system to look through snort alerts. The log system isn't really packaged up 'n polished yet (the syslog daemon written in NodeJS is somewhat SGI-specific still) or I'd spin up a site for it and ask it to be added to the 3rd party list but for the curious, take a peek at: https://www.youtube.com/watch?v=NW9-AgmUi_o (skip to 1:40 if you want to skip to where I used it to find a bot-infection start) Skip to 8:10 if you want to see just snort-related stuff. Anyway, I point all that out only to encourage you to consult google also. With Barnyard2 there's LOTS of options for what you can do with the snort alerts and how to store them and LOTS of options for then analyzing/searching those alert stores. Different people will have different ideas of what options are important to them so I'd recommend trying several out before you decide which one (or maybe more than one) will be the best for your needs. Brent On 11/16/2016 10:08 PM, Eric J. Taylor wrote:
Good day, Hope all is well with everyone. New to sort and the ids/ips world, but looking forward to have more secure network(s). I hope this is a easy answer to my question today. Been reading through the docs, and I see no mention about having a central server for multiple loctions. The locations are not joined in any fashion, as in seperate companies all together. If I was put a central snort box and connect the firewalls (mostly mikrotik) to the central server, is there any special gotchas or considerartions I need to review? I also don't know how much traffic is really sent over the WAN for analisis either. As a couple of sites use the same subnet schema, I will have to consider some changes at the locations to support IPSec from remote site to central server; if IPSec between locations is recommended. And please, if I am over looking this part in the documents please point me to it as I don't see it currently. Thanks in advance for your time and helpfulness as I try to figure this puzzle out. P.S. Any grammar or humorous statements is courtesy of Android. Eric Taylor Owner | Veterinary IT Support Specialist 800-324-9941 x1005 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Central Server Eric J. Taylor (Nov 16)
- Re: Central Server Brent Bice (Nov 17)