Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Distributed Snort management

From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Fri, 23 May 2003 07:50:47 -0400
Having handled this exact problem we settled on the usage of a program called mudpit 
(http://www.fidelissec.com/mudpit.html).  One of the features that it offers, and I quote from their website, 
"Stability, including support for automatic recovery from network failures and outages with no information loss".   
Your mileage will vary with hardware but you should be able to get a week worth of data spooled.  Which should be 
plenty.



Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


"Nelson, Ben" <bnelson () rightnow com> 05/21/03 09:15pm >>>

I have many snort sensors that are distributed across large geographic boundaries.  Maintaining and monitoring these 
installations is starting to become trouble-some.  I have started using SnortCenter to manage and push out rules (which 
is working great BTW), but I need to figure out a good way to centralize the data and alerts that Snort comes up with.

At first I thought that I could just make all of the sensors log to a centralized MySQL server (all logging to the same 
database) over stunnel or something like that, but what if a sensor loses connectivity to the MySQL server?  I'd lose 
all of the alerts generated during that time frame(I guess I could log them to flat files on disk as well, but that 
would defeat the purpose of using a database...no?)  

Then I though maybe I could set up TWO output directives to log all alerts to two separate databases (one local to the 
sensor and the remote one), but then re-synchronizing the sensor's database to the main MySQL server becomes a problem 
when connectivity is re-established.  

I could also just use MySQL's built in replication (over stunnel again).  That would solve my problem of 
re-synchronizing databases when connectivity came back (MySQL handles all of that), but then I'd have to have a 
separate database for each sensor since MySQL doesn't support replication of multiple masters to a single slave (does 
any database supported by snort do this?).  Ideally, I'd like to have all alerts from all sensors go into the SAME 
database.

Is anyone else in a similar situation?  What did you do to centralize your alerts?  I'm really open to 
suggestions......having ACID loaded onto EVERY sensor seems like a waste (not to mention a pain to check regularly).

Thanks,
--Ben


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: