[Snort-users] question on distributed snort collection

Bamm Visscher bamm at ...539...
Wed Jun 4 14:05:08 EDT 2003


All my sensors run FreeBSD with IPSEC enabled. I have an FreeBSD IPSEC GW that all the sensors establish tunnels with. From there the data is routed to an internal network that consitsts of a central DB and GUI server. Any of us analyst can connect to the GUI server (either from the local net or an ssh tunnel), and manage events thru a GUI console. Although we use a proprietary interface right now, our plans are to move to sguil (http://sguil.sf.net - yeah, I plugged it again), in the future. The DB becomes the biggest hassle (we are using postgres currently, but mysql w/sguil). At one point I think we scaled to eight sensors inserting a few hundred thousand events and around 10 million connections/day.

Bammkkkk

On Wed, Jun 04, 2003 at 04:00:45PM -0400, Garrett.Allen at ...8966... wrote:
> i've gotten the pink beastie stable and am getting useful info out.  so far,
> so good.  now i would like to extend to remote locations.  is there a
> preferred means of doing this?  flat vs. tiered mom (mom = monitor of
> monitors)?  still in the planning phase and have time to test in the lab,
> but any shortcuts / recommendations are appreciated.
> 
> thanks.
> garrett




More information about the Snort-users mailing list