[Snort-users] question on distributed snort collection
bamm at ...539...
Wed Jun 4 14:05:08 EDT 2003
All my sensors run FreeBSD with IPSEC enabled. I have an FreeBSD IPSEC GW that all the sensors establish tunnels with. From there the data is routed to an internal network that consitsts of a central DB and GUI server. Any of us analyst can connect to the GUI server (either from the local net or an ssh tunnel), and manage events thru a GUI console. Although we use a proprietary interface right now, our plans are to move to sguil (http://sguil.sf.net - yeah, I plugged it again), in the future. The DB becomes the biggest hassle (we are using postgres currently, but mysql w/sguil). At one point I think we scaled to eight sensors inserting a few hundred thousand events and around 10 million connections/day.
On Wed, Jun 04, 2003 at 04:00:45PM -0400, Garrett.Allen at ...8966... wrote:
> i've gotten the pink beastie stable and am getting useful info out. so far,
> so good. now i would like to extend to remote locations. is there a
> preferred means of doing this? flat vs. tiered mom (mom = monitor of
> monitors)? still in the planning phase and have time to test in the lab,
> but any shortcuts / recommendations are appreciated.
More information about the Snort-users