[Snort-users] Problems about snort in enterprise environment

Fraser Hugh hugh_fraser at ...2804...
Thu Nov 7 11:36:17 EST 2002


If I understand yur question correctly, you want a single system with
multiple network cards each monitoring a different subnet, but logging to a
common database. I've seen threads here on Snort watching multiple network
cards, so I expect it can be done. There are, though, several benefits from
using a distributed system with a database/ACID server receiving events from
multiple Snort sensor systems, each watching a single subnet. I also expect
your main concern is the administrative/security people who will be managing
4 systems, but you've already listed the tools needed to reduce this load
quite a bit.

It's a simple task to have a system running Snort send it's events to a
remote mysql database, and without any configurations changes, multiple
Snort systems will all log their events to a common database, each tagged
with the Snort system it came from. Acid can view the contents of the
database, and will allow your security admin people to view the installation
as a single source of events, or as separate subnets. Having individual
systems for each sensor and a common one for the database and ACID console
is easy to scale, as adding another subnet simply means deploying another
sensor and pointing it at the database server. Along with scalability, you
get some fault tolerance to the system, where the failure of a sensor on one
subnet doesn't completely blind you. If you're lucky enough to be able to
use the same Snort signatures for each subnet, the sensors become true
clones of each other, and deployment can almost be automated with tools like
kickstart.

You've also listed Webmin as a tool for managing the systems. Treating the
sensors as a cluster can go a long way towards 
reducing the workload managing all of the systems at once (ie. package
updates). Rsync is another tool that can help keep them synchronized.

The only tool you haven't mentioned that I use is Netsaint/Nagios to provide
a single view of the database server and sensors performance in one place.

> -----Original Message-----
> From: Andrea Iacopini [mailto:andrea.iacopini at ...7117...]
> Sent: Thursday, November 07, 2002 5:32 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Problems about snort in enterprise environment
> 
> 
> Hi guys,
> I'm currently involved in a project which consist of Snort 
> distribuited
> installation.
> Snort will monitor different subnets, my idea was to build a
> "complete-sensor" ( snort, mysql, acid, webmin ) for every module,
> anyway in this design
> administrative people need to monitor four different system.
> My thought was: is possible to create a single system Snort 
> installation
> with different ethernet devices that watch on different subnet and log
> on the same DB ?
> Some suggestions ? Links ?
> Regards,
> 
> A.
> ==============================================================
> ==========
> Andrea Iacopini - Networking Solutions
> andrea.iacopini at ...7117... - Mobile + 39 335 123.44.93
> 
> REALTECH Italia S.p.A. - Technology drives e-Business
> Via Paolo di Dono, 73 - 00142 Roma, Italy
> Tel. +39 06 51.95.981, Fax. +39 06 51.96.36.74
> ==============================================================
> ==========
> Real hackers don't die, just their TTL expires. [Unknown]
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: See the NEW Palm 
> Tungsten T handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list