[Snort-users] distributed snort
meling at ...3359...
Tue Oct 2 20:34:02 EDT 2001
I'm developing a distributed intrusion detection architecture using
Snort on the IDS sensors. We're targeting to deploy > 50 sensors on
multiple networks. These sensors will push the alert logs to 1 central
console, where data crunching and analysis will take place.
My questions are:
1. How feasible it is to send alert logs from 50 sensors to 1 central console?
The central console will have several different components in itself,
such as data parsing, etc.
2. What is the most efficient way to make sure that Snort is runnig 24x7 on
the sensors? Is tcpserver any good?
3. What are the best data consolidation techniques available? My concern is
that when too many data are displayed from various sensors on the
monitoring console, security analyst will tend to ignore them.
Your input are very much appreciated.
More information about the Snort-users