[Snort-devel] Re: [Snort-users] Distributed Snort

Matthew Callaway matt at ...807...
Fri Nov 15 09:21:05 EST 2002


I just thought I'd throw in my two cents on this issue.  Here's an idea
that skips all the new development work you're talking about.

In your "distributed snort" environment, have each sensor log packets to
unified format log files.  Have these log files encrypted by the
log-rotation process (via gpg) and mailed to your central server.
Receive the log files, de-crypt them, then run barnyard on your spooled
log files to feed the database.

Each component of this process already exists in some form (snort,
unified logs, gpg, mail, barnyard, mysql, etc).  The only extra work is
knitting it all together.  Having data mailed takes care of sporadic
network conditions (mail servers spool data).  Barnyard already does the
work of feeding the DB, and serializing the process keeps a lid on
scalability.

-M





More information about the Snort-devel mailing list