Snort mailing list archives
Re: How to handle multiple snort sensors
From: Jaime Nebrera <jnebrera () redborder org>
Date: Fri, 1 Aug 2014 18:00:26 +0200
Hi Robert, While with some work you could customize some open source configuration manager like Puppet, Chef or Salt to do this job (as Doug already suggested), the reality is you would still miss quite a bit of stuff in Snort specifics management as well as easiness. In the open source realm there are quite a bit of event management solutions designed for Snort, Snorby being probably the most known and popular. But the management side is still missing that traction (IMHO) This is why we created redBorder.org project, under sponsorship of a big client to manage a 100s sensor deployment Version 2.2.28 is available for free in the website but it's SQL base and some design considerations done early in the project limit it's scalability. This is why I would suggest you to play with it but way till mid September the 3.0 version will be made public. It's new bigdata based backend as well as some SQL revamp hope will establish a powerful record in this area What's even more important, while still open source as prior version, we will upload it to GitHub, hoping to foster a strong community around it
From the management side you have quite a bit of control of the different
configuration files (Chef recipes are used underneath), full rules workflow, user roles, auditing, etc. The type of stuff you would expect from a professional management solution Another important point is the dismiss of direct SQL event injection. Replacing it with an Apache Kafka bus, we are now able to add real intelligence in the environment. This is not ready yet, but think in data enrichment stuff (geo location, reputation,...), anomaly detection and correlation rules We believe this will be our biggest contribution to Snort community so far. We have already done things for SNMP monitoring, kafka, reputation, DAQ, etc all available in our GitHub repository, and of course 2.2.28 but we believe 3.0 version will be a huge step in favor of open source around our loved Snort. Of course, in the proprietary realm this changes quite a bit, but that's a fully different ball game. PS.- If not evident by my email, my company develops redBorder :) El 01/08/2014 16:57, "Robert Millott" <robm () millottandassociates com> escribió:
All I am setting up about 35 snort sensors across our network, all feeding back into a SEIM (arcsight). I was curious, how does anyone else out there handle multiple sensors? I am looking for a way to quickly (and centrally) view snort.conf, threshold.conf, bpf filters, rules enabled or disabled etc without having to ssh into each individual host. I know pulled pork will handle pulling rules, but I am looking around to see if any one has a means of managing many sensors. Thanx -- Robert Millott President, Millott and Associates (443) 255-3588 ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to handle multiple snort sensors Robert Millott (Aug 01)
- Re: How to handle multiple snort sensors Doug Burks (Aug 01)
- Re: How to handle multiple snort sensors Jaime Nebrera (Aug 01)
- Re: How to handle multiple snort sensors Shirkdog (Aug 01)
- Re: How to handle multiple snort sensors Jeremy Hoel (Aug 01)