[Snort-users] distributed snort

Erek Adams erek at ...577...
Wed Oct 3 06:45:03 EDT 2001

On Wed, 3 Oct 2001, meling wrote:

> I'm developing a distributed intrusion detection architecture using
> Snort on the IDS sensors. We're targeting to deploy > 50 sensors on
> multiple networks. These sensors will push the alert logs to 1 central
> console, where data crunching and analysis will take place.

Good base setup.  Few tweaks that can really save your ass though.

> My questions are:
> 1. How feasible it is to send alert logs from 50 sensors to 1 central console?
>    The central console will have several different components in itself,
>    such as data parsing, etc.

Very.  Just consider a few little things makes this work very well.

	Backend Network--For administration and data output.
	Don't log over the net--SIGHUP snort, and have it ship the binary
files over to your central sensor, drop them off and have the console drop
them into the DB.  Much safer and quicker.  Or wait till barnyard has DB
output!  :)

> 2. What is the most efficient way to make sure that Snort is runnig 24x7 on
>    the sensors? Is tcpserver any good?

Never used it, so I can't say.  You could cobble up a quick and dirty 'viagra'
script.  There's also Daemontools.  You can use /etc/inittab, but be careful.
You don't want it spawning copies to quickly.

> 3. What are the best data consolidation techniques available? My concern is
>    that when too many data are displayed from various sensors on the
>    monitoring console, security analyst will tend to ignore them.

I'd suggest using something like ACID, DeMarc, or SnortSnarf.  Each tool has
it's own merits so look into them each and see what matches your wants and

> Your input are very much appreciated.

Hope it helps!

Erek Adams

More information about the Snort-users mailing list