[Snort-users] question on distributed snort collection
WilliamsJonathan at ...2134...
Wed Jun 4 13:19:20 EDT 2003
I don't know about preferred yet. How 'bout I let you know in a few months
Seriously, though, I'm going through similar issues now. For the time
being, I'm having all sensors, where all is still a fairly small number in
my mind, report back to a single console for analysis. While this means
that there's more stuff to dig through in order to find the really serious
alarms, it also means that I've got one-stop shopping and don't have to go
through fifteen different consoles to do my aggregation when I'm tracking
down a baddie.
Once again, this is still in the early phases, so I may change my mind when
I get my environment bigger. Right now, my biggest issues are more
operational, like how do I keep patches up-to-date on boxes on the other
side of the International Date Line and where the nearest admin is 6 hours
away by plane and doesn't have an account on it. Small stuff like that.
From: Garrett.Allen at ...8966... [mailto:Garrett.Allen at ...8966...]
Sent: Wednesday, June 04, 2003 3:01 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] question on distributed snort collection
i've gotten the pink beastie stable and am getting useful info out. so far,
so good. now i would like to extend to remote locations. is there a
preferred means of doing this? flat vs. tiered mom (mom = monitor of
monitors)? still in the planning phase and have time to test in the lab,
but any shortcuts / recommendations are appreciated.
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users