Re: How to handle multiple snort sensors

[Jaime Nebrera <jnebrera () redborder org>]

Hi Robert,

While with some work you could customize some open source configuration
manager like Puppet, Chef or Salt to do this job (as Doug already
suggested), the reality is you would still miss quite a bit of stuff in
Snort specifics management as well as easiness.

In the open source realm there are quite a bit of event management
solutions designed for Snort, Snorby being probably the most known and
popular.

But the management side is still missing that traction (IMHO)

This is why we created redBorder.org project, under sponsorship of a big
client to manage a 100s sensor deployment

Version 2.2.28 is available for free in the website but it's SQL base and
some design considerations done early in the project limit it's
scalability.
This is why I would suggest you to play with it but way till mid September
the 3.0 version will be made public.

It's new bigdata based backend as well as some SQL revamp hope will
establish a powerful record in this area

What's even more important, while still open source as prior version, we
will upload it to GitHub, hoping to foster a strong community around it

> From the management side you have quite a bit of control of the different
configuration files (Chef recipes are used underneath), full rules
workflow, user roles, auditing, etc. The type of stuff you would expect
from a professional management solution

Another important point is the dismiss of direct SQL event injection.
Replacing it with an Apache Kafka bus, we are now able to add real
intelligence in the environment. This is not ready yet, but think in data
enrichment stuff (geo location, reputation,...), anomaly detection and
correlation rules

We believe this will be our biggest contribution to Snort community so far.
We have already done things for SNMP monitoring, kafka, reputation, DAQ,
etc all available in our GitHub repository, and of course 2.2.28 but we
believe 3.0 version will be a huge step in favor of open source around our
loved Snort.

Of course, in the proprietary realm this changes quite a bit, but that's a
fully different ball game.

PS.- If not evident by my email, my company develops redBorder :)
El 01/08/2014 16:57, "Robert Millott" <robm () millottandassociates com>
escribió:

> All
>    I am setting up about 35 snort sensors across our network, all feeding
> back into a SEIM (arcsight).  I was curious, how does anyone else out there
> handle multiple sensors?  I am looking for a way to quickly (and centrally)
> view snort.conf, threshold.conf, bpf filters, rules enabled or disabled etc
> without having to ssh into each individual host.  I know pulled pork will
> handle pulling rules, but I am looking around to see if any one has a means
> of managing many sensors.
>
> Thanx
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!