Snort mailing list archives
RE: Problems about snort in enterprise environment
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Thu, 7 Nov 2002 14:36:19 -0500
If I understand yur question correctly, you want a single system with multiple network cards each monitoring a different subnet, but logging to a common database. I've seen threads here on Snort watching multiple network cards, so I expect it can be done. There are, though, several benefits from using a distributed system with a database/ACID server receiving events from multiple Snort sensor systems, each watching a single subnet. I also expect your main concern is the administrative/security people who will be managing 4 systems, but you've already listed the tools needed to reduce this load quite a bit. It's a simple task to have a system running Snort send it's events to a remote mysql database, and without any configurations changes, multiple Snort systems will all log their events to a common database, each tagged with the Snort system it came from. Acid can view the contents of the database, and will allow your security admin people to view the installation as a single source of events, or as separate subnets. Having individual systems for each sensor and a common one for the database and ACID console is easy to scale, as adding another subnet simply means deploying another sensor and pointing it at the database server. Along with scalability, you get some fault tolerance to the system, where the failure of a sensor on one subnet doesn't completely blind you. If you're lucky enough to be able to use the same Snort signatures for each subnet, the sensors become true clones of each other, and deployment can almost be automated with tools like kickstart. You've also listed Webmin as a tool for managing the systems. Treating the sensors as a cluster can go a long way towards reducing the workload managing all of the systems at once (ie. package updates). Rsync is another tool that can help keep them synchronized. The only tool you haven't mentioned that I use is Netsaint/Nagios to provide a single view of the database server and sensors performance in one place.
-----Original Message----- From: Andrea Iacopini [mailto:andrea.iacopini () realtech it] Sent: Thursday, November 07, 2002 5:32 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Problems about snort in enterprise environment Hi guys, I'm currently involved in a project which consist of Snort distribuited installation. Snort will monitor different subnets, my idea was to build a "complete-sensor" ( snort, mysql, acid, webmin ) for every module, anyway in this design administrative people need to monitor four different system. My thought was: is possible to create a single system Snort installation with different ethernet devices that watch on different subnet and log on the same DB ? Some suggestions ? Links ? Regards, A. ============================================================== ========== Andrea Iacopini - Networking Solutions andrea.iacopini () realtech it - Mobile + 39 335 123.44.93 REALTECH Italia S.p.A. - Technology drives e-Business Via Paolo di Dono, 73 - 00142 Roma, Italy Tel. +39 06 51.95.981, Fax. +39 06 51.96.36.74 ============================================================== ========== Real hackers don't die, just their TTL expires. [Unknown] ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems about snort in enterprise environment Andrea Iacopini (Nov 07)
- Re: Problems about snort in enterprise environment Atul Shrivastava (Nov 07)
- Re: Problems about snort in enterprise environment Erek Adams (Nov 07)
- Re: Problems about snort in enterprise environment Brian (Nov 07)
- Re: Problems about snort in enterprise environment twig les (Nov 07)
- Re: Problems about snort in enterprise environment Brian (Nov 07)
- <Possible follow-ups>
- RE: Problems about snort in enterprise environment Fraser Hugh (Nov 07)