[Snort-devel] Re: [Snort-users] Distributed Snort

Federico Barbieri fede at ...1683...
Thu Nov 14 12:18:11 EST 2002


Matthew Callaway wrote:

>I just thought I'd throw in my two cents on this issue.  Here's an idea
>that skips all the new development work you're talking about.
>
>In your "distributed snort" environment, have each sensor log packets to
>unified format log files.  Have these log files encrypted by the
>log-rotation process (via gpg) and mailed to your central server.
>Receive the log files, de-crypt them, then run barnyard on your spooled
>log files to feed the database.
>
you can use XML on https and a servlet/cgi on the httpd side with some 
xslt and you have all your logs/alarm nicely formatted in html in 10 
lines of code. Thou I never tried to use the xml logging module so 
performances could really be a pita...

>Each component of this process already exists in some form (snort,
>unified logs, gpg, mail, barnyard, mysql, etc).  The only extra work is
>knitting it all together.  Having data mailed takes care of sporadic
>network conditions (mail servers spool data).  Barnyard already does the
>work of feeding the DB, and serializing the process keeps a lid on
>scalability.
>
>-M
>

fede

>  
>





More information about the Snort-devel mailing list