[Snort-devel] Distributed Snort

Frank Knobbe fknobbe at ...337...
Thu Nov 14 10:02:03 EST 2002


On Thu, 2002-11-14 at 06:36, Peter Moore wrote:
> i like your suggestion in that you are still collecting the data and once it 
> detects that the database has come back online it would try and then insert 
> the data. The only issue i have is how you would be storing the queued data ? 
> in a log file or something similar ?

I thought either in a queue in memory, or in a file. Thinking more about
it, I think Barnyard would be the best option.

> if you are storing it in a file then why not just store it on the current 
> sensor instead of the remote one?

That is exactly what I meant. The main idea is to bring that data back
into the remote/central Snort box.

Here an ASCII drawing for the concept;


(Data queued in Snort, probably less efficient due to memory
requirements)

   +------+------+-+              +------+------+
   |PrePro|      |Q|              |PrePro|      |---> DB
   +------+Output|u|---/net/---\  +------+Output|---> ASCII
>--|Detect|      |e|           |  |Detect|      |---> TCPDump
   +------+------+-+           |  +------+------+
                               |           | | 
                               \-----------/ |
                                             |
   +------+------+-+                         | 
   |PrePro|      |Q|                         |
   +------+Output|u|---/net/-----------------/  
>--|Detect|      |e|           
   +------+------+-+           
                               
                               


(Data queued in unified spool file)

   +------+------+                +------+------+
   |PrePro|      |                |PrePro|      |---> DB
   +------+Output|                +------+Output|---> ASCII
>--|Detect|      |                |Detect|      |---> TCPDump
   +------+------+                +------+------+
              |                            | | 
              |                            | |
          +------+                         | |
          |BarnYd|----/net/----------------/ |
          +------+                           |
                                            etc
    

Again, the main purpose is to bring the data reliably to the remote
sensor and inject it back into Snort so that it can be processed with
the existing output plugins.


Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021114/2cc839ac/attachment.sig>


More information about the Snort-devel mailing list