Snort mailing list archives

Re: Snort Architecture and Managment

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 31 May 2013 11:23:29 -0400

On May 30, 2013, at 8:53 PM, "Morris, Shane (US SSA)" <shane.morris () baesystems com> wrote:

1.       I’m currently running RedHat but am fluent in any flavor of Linux. Which is the most widely support OS for 
Snort and snort related apps? It seems like CentOS is very popular among Snort users.


Unfortunately we have no way of measuring that from the server side, but it appears that redhat/centos/fedora is 
probably the most widely used I think.

2.       Is there a way I can cache events on the sensors temporarily if the connection is lost between the sensor 
and the manager?


barnyard2 will retry it's connection if it goes down, so, yes.

3.       Are there better options for a GUI than BASE, I would even consider running two if there was enough value in 
both.


Snorby seems to be the hottest thing right now, but I don't think it requires barnyard2.

4.       I’m looking for management tools for the sensors and the rules that I can run from the managers.


Aside from commercial/free-commercial solutions, there's really not a good one that I know of.

5.       Any suggestions for managing large rules sets instead of one flat file.


Pulledpork does a good job of managing ruleset with it's disable-sid.conf and enable-sid.conf, but everyone has a 
completely different use case.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Architecture and Managment Morris, Shane (US SSA) (May 30)
- <Possible follow-ups>
- Re: Snort Architecture and Managment Steven McLaughlin (May 30)
  - Re: Snort Architecture and Managment Jaime Nebrera (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Joel Esler (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)