[Snort-users] question on distributed snort collection

Williams Jon WilliamsJonathan at ...2134...
Wed Jun 4 13:19:20 EDT 2003

I don't know about preferred yet.  How 'bout I let you know in a few months

Seriously, though, I'm going through similar issues now.  For the time
being, I'm having all sensors, where all is still a fairly small number in
my mind, report back to a single console for analysis.  While this means
that there's more stuff to dig through in order to find the really serious
alarms, it also means that I've got one-stop shopping and don't have to go
through fifteen different consoles to do my aggregation when I'm tracking
down a baddie.

Once again, this is still in the early phases, so I may change my mind when
I get my environment bigger.  Right now, my biggest issues are more
operational, like how do I keep patches up-to-date on boxes on the other
side of the International Date Line and where the nearest admin is 6 hours
away by plane and doesn't have an account on it.  Small stuff like that.


-----Original Message-----
From: Garrett.Allen at ...8966... [mailto:Garrett.Allen at ...8966...]
Sent: Wednesday, June 04, 2003 3:01 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] question on distributed snort collection

i've gotten the pink beastie stable and am getting useful info out.  so far,
so good.  now i would like to extend to remote locations.  is there a
preferred means of doing this?  flat vs. tiered mom (mom = monitor of
monitors)?  still in the planning phase and have time to test in the lab,
but any shortcuts / recommendations are appreciated.


This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list