[Snort-devel] Re: [Snort-users] Distributed Snort
fede at ...1683...
Thu Nov 14 12:18:11 EST 2002
Matthew Callaway wrote:
>I just thought I'd throw in my two cents on this issue. Here's an idea
>that skips all the new development work you're talking about.
>In your "distributed snort" environment, have each sensor log packets to
>unified format log files. Have these log files encrypted by the
>log-rotation process (via gpg) and mailed to your central server.
>Receive the log files, de-crypt them, then run barnyard on your spooled
>log files to feed the database.
you can use XML on https and a servlet/cgi on the httpd side with some
xslt and you have all your logs/alarm nicely formatted in html in 10
lines of code. Thou I never tried to use the xml logging module so
performances could really be a pita...
>Each component of this process already exists in some form (snort,
>unified logs, gpg, mail, barnyard, mysql, etc). The only extra work is
>knitting it all together. Having data mailed takes care of sporadic
>network conditions (mail servers spool data). Barnyard already does the
>work of feeding the DB, and serializing the process keeps a lid on
More information about the Snort-devel