Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rebuilding the wheel

From: Doug Burks <doug.burks () gmail com>
Date: Fri, 21 Dec 2012 13:08:35 -0500
On Wed, Dec 19, 2012 at 12:06 PM, Mike Miller <mike () millertwinracing com> wrote:

I have a specific set of implementation requirements and have been away from Snort long enough that I figured I'd ask 
before rebuilding the wheel (as fun as that initially sounds)

six or so years ago, we had a 14 IDS infrastructure that bubbled it's results up to a Qradar box. The sensors were 
originally Gentoo boxes and worked well, but required a pretty serious investment in Gentoo to keep them running. 
They were also ONLY snort boxes. Sure, you could hop on them and run a TCPdump, but they were one trick ponys...also 
importantly: they were on the outside interface, meaning they didn't see NATTed traffic.

I've used AlienVault and Security onion, and they are both more, and less than I want. I'm having issues with dropped 
packets on one of the first boxes, and it seems to be kernel related (fiber intel e1000 card on a HUGE DL585, 8 core, 
32 Gb RAM, 1 gig feed). I'm still digging into compiling PF_ring support on a 2.8 kernel.


Hi Mike,

Please try our new Security Onion 12.04 RC1 as it already has PF_RING included:
http://code.google.com/p/security-onion/wiki/RC1


Alienvault seemed to be doing too much, I don't need the bells and whistles, and Security Onion seems hell bent to 
record every single packet, which is great in an analyst box, but it's hell to tune.


Yes, Security Onion does full packet capture by default.  You can
disable it if you wish, but it provides tremendous forensic
capability.


What I'm looking for is automation to roll out and manage a box that does IDS stuff and receives syslog feeds to give 
visibility...from 22+ locations.


Security Onion can receive syslog feeds and store them in ELSA, a
central web interface similar to Splunk, but free.

If you have further questions about Security Onion, please feel free
to use our mailing lists:
http://code.google.com/p/security-onion/wiki/MailingLists

Hope that helps!

Thanks,
--
Doug Burks
http://securityonion.blogspot.com

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: