Snort mailing list archives
Re: Snort Architecture and Managment
From: Steven McLaughlin <steve () Lan com au>
Date: Fri, 31 May 2013 12:17:00 +1000
Hi Shane, I am currently working on developing a scale architecture like yourself so I can give you input from my experience. I prefer the Snorby front end myself if you are looking for a GUI. I've used BASE before which is also very good. Have you also had a look at Squert/Sguil? Am also using barnyard2 for spooling and CentOS is also my favorite snort platform. Have you considered separating the database tier from the sensor tier? This is the recommended approach for large scale distributed installation. You can tell by2 to give each sensor a unique name for the DB. As far as caching the events in the event of an outage I think by2 is your best option. It uses a waldo bookmark file for the very purpose of knowing where it last left off with the unified2 files. However I would be interested to hear the best place to run by2 (either on the sensor node or the DB node?) The thing with by2 is that you have to specify an input folder so would require a remote folder mount if NOT the on same box as sensor. But if by2 was running on the same box of the sensor, will it also put a hold on processing if the connection to the SQL DB goes down? That is something I would like to know? i.e. Does by2 waldo bookmarking take into account both outages at the input end and the output end of its process? u2-> input_end <barnyard2> output_end-> MySQL Steve On 31 May 2013 10:53, Morris, Shane (US SSA) <shane.morris () baesystems com>wrote:
I currently have several Snort sensors spread across the world at different sites. Each sensor runs independently of the others; it’s the basic Snort dumping to MySQL and an ArcSight connector pulling from the DB and shoveling the alerts into ArcSight. We support a growing 10K plus rule set. So each sensor has its own copy of Snort, MySQL and ArcSight Connector running. We are about to roll out many more sensors and this approach is not manageable so it needs to be re-architected and I’m looking for any and all suggestions from those who are already doing more.**** ** ** I’m going to implement Barnyard2 unless someone has a reason why I should stick with Barnyard.**** ** ** My plan is to have each sensor only running Snort and Barnyard2 and dumping to two managers (for redundancy). The managers will be running MySQL and the ArcSight connector will be running on a separate server and pulling from the DB. This way I only have to manage two databases and two connectors. I would also like to add a GUI so I was considering BASE to give my analysts a more robust tool to go through alerts and do some reporting.**** ** ** Questions**** **1. **I’m currently running RedHat but am fluent in any flavor of Linux. Which is the most widely support OS for Snort and snort related apps? It seems like CentOS is very popular among Snort users.**** **2. **Is there a way I can cache events on the sensors temporarily if the connection is lost between the sensor and the manager?**** **3. **Are there better options for a GUI than BASE, I would even consider running two if there was enough value in both.**** **4. **I’m looking for management tools for the sensors and the rules that I can run from the managers.**** **5. **Any suggestions for managing large rules sets instead of one flat file.**** ** ** If I’m going to redo this thing I want to do it right.**** ** ** Thank you and any input is appreciated.**** ** ** -Shane**** ** ** ** ** ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Best Regards, Steven McLaughlin steve () Lan com au 0459 351 266
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Architecture and Managment Morris, Shane (US SSA) (May 30)
- <Possible follow-ups>
- Re: Snort Architecture and Managment Steven McLaughlin (May 30)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Joel Esler (May 31)
- Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)