[Snort-users] Distributed Snort management

Nelson, Ben bnelson at ...5464...
Wed May 21 18:16:06 EDT 2003


I have many snort sensors that are distributed across large geographic boundaries.  Maintaining and monitoring these installations is starting to become trouble-some.  I have started using SnortCenter to manage and push out rules (which is working great BTW), but I need to figure out a good way to centralize the data and alerts that Snort comes up with.

At first I thought that I could just make all of the sensors log to a centralized MySQL server (all logging to the same database) over stunnel or something like that, but what if a sensor loses connectivity to the MySQL server?  I'd lose all of the alerts generated during that time frame(I guess I could log them to flat files on disk as well, but that would defeat the purpose of using a database...no?)  

Then I though maybe I could set up TWO output directives to log all alerts to two separate databases (one local to the sensor and the remote one), but then re-synchronizing the sensor's database to the main MySQL server becomes a problem when connectivity is re-established.  

I could also just use MySQL's built in replication (over stunnel again).  That would solve my problem of re-synchronizing databases when connectivity came back (MySQL handles all of that), but then I'd have to have a separate database for each sensor since MySQL doesn't support replication of multiple masters to a single slave (does any database supported by snort do this?).  Ideally, I'd like to have all alerts from all sensors go into the SAME database.

Is anyone else in a similar situation?  What did you do to centralize your alerts?  I'm really open to suggestions......having ACID loaded onto EVERY sensor seems like a waste (not to mention a pain to check regularly).

Thanks,
--Ben




More information about the Snort-users mailing list