[Snort-devel] Distributed Snort

Frank Knobbe fknobbe at ...337...
Thu Nov 14 10:02:03 EST 2002

On Thu, 2002-11-14 at 06:36, Peter Moore wrote:
> i like your suggestion in that you are still collecting the data and once it 
> detects that the database has come back online it would try and then insert 
> the data. The only issue i have is how you would be storing the queued data ? 
> in a log file or something similar ?

I thought either in a queue in memory, or in a file. Thinking more about
it, I think Barnyard would be the best option.

> if you are storing it in a file then why not just store it on the current 
> sensor instead of the remote one?

That is exactly what I meant. The main idea is to bring that data back
into the remote/central Snort box.

Here an ASCII drawing for the concept;

(Data queued in Snort, probably less efficient due to memory

   +------+------+-+              +------+------+
   |PrePro|      |Q|              |PrePro|      |---> DB
   +------+Output|u|---/net/---\  +------+Output|---> ASCII
>--|Detect|      |e|           |  |Detect|      |---> TCPDump
   +------+------+-+           |  +------+------+
                               |           | | 
                               \-----------/ |
   +------+------+-+                         | 
   |PrePro|      |Q|                         |
>--|Detect|      |e|           

(Data queued in unified spool file)

   +------+------+                +------+------+
   |PrePro|      |                |PrePro|      |---> DB
   +------+Output|                +------+Output|---> ASCII
>--|Detect|      |                |Detect|      |---> TCPDump
   +------+------+                +------+------+
              |                            | | 
              |                            | |
          +------+                         | |
          |BarnYd|----/net/----------------/ |
          +------+                           |

Again, the main purpose is to bring the data reliably to the remote
sensor and inject it back into Snort so that it can be processed with
the existing output plugins.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021114/2cc839ac/attachment.sig>

More information about the Snort-devel mailing list