Snort mailing list archives

Re: Best Enterprise Snort Configuration

From: Michael Boman <michael.boman () securecirt com>
Date: Thu, 13 Feb 2003 11:02:09 +0800

On Wed, Feb 12, 2003 at 05:30:19PM +0100, Saad Kadhi wrote:

On Wed, Feb 12, 2003 at 07:38:57AM -0800, tfandango wrote:

So what snort-related tools do you guys like the best?
 I will probably try to use mySQL to start off with
and log to a central database somewhere.  But what
tools are available to remotely manage the snort
application, display the all sensor alerts in near
realtime on some central console (I assume this will
be something that polls the database), etc, etc.

again, if you check the archives you'll find truckloads of  answers  but
here is my go at your questions (that is, what  I  like  to  use  on  my
environment so YMMV):

  - database: mysql
  - alert management (not "real time"): acid [1]

      - If realtime (or very close to it): sguil [5][6]

  - sensor configuration management: snortcenter [2]

      - Or RMan[7], and soon in Sguil

  - extra pieces: snort doesn't log directly to db. I use  barnyard  [3]
    instead. and stunnel [4]  to  ssl-tunnel  data  between  sensor  and
    central db

      - Sguil requires barnyard, and I would say it's suicide to run db output
        without barnyard... your sensor would be too busy sending the alerts
        instead of detecting them.

If you decide to run on Linux platform check out Phil Wood's libpcap
patches[8] and this[9] email message explains how to run it ;)

that been said, I never tried ~60 sensors logging to a central db at the
same time.

cheers.
--
[1] http://www.cert.org/kb/acid/
[2] http://users.pandora.be/larc/
[3] http://www.snort.org/dl/barnyard/
[4] http://www.stunnel.org/

  [5] http://www.satexas.com/~bamf/sguil/
  [6] http://sf.net/projects/sguil
  [7] http://rman.sf.net
  [8] http://public.lanl.gov/cpw/
  [9] http://marc.theaimsgroup.com/?l=snort-users&m=103833873414252&w=2

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

Attachment: _bin
Description:

Current thread:

Arguments for Snort tfandango (Feb 10)
- Re: Arguments for Snort twig les (Feb 10)
- Re: Arguments for Snort Shane Williams (Feb 11)
  - Re: Arguments for Snort Paul Schmehl (Feb 11)
    - Best Enterprise Snort Configuration tfandango (Feb 12)
    - Re: Best Enterprise Snort Configuration Paul Schmehl (Feb 12)
    - Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
    - Re: Best Enterprise Snort Configuration twig les (Feb 12)
    - Re: Best Enterprise Snort Configuration Ken Gunderson (Feb 12)
    - Re: Best Enterprise Snort Configuration Saad Kadhi (Feb 12)
    - Re: Best Enterprise Snort Configuration Michael Boman (Feb 12)
    - Re: Best Enterprise Snort Configuration Joerg Weber (Feb 12)
    - Re: Best Enterprise Snort Configuration Bennett Todd (Feb 12)