[Snort-users] Advice on IDS across WANS

Graxius graxius at ...11827...
Mon Sep 20 13:42:07 EDT 2004


> What can you people on this list advise so that i can read all logs
> from all 5 machines from a console machine in SiteA on the best secure
> way, and if possible with snort report.
> 
You could use a barnyard solution. Using Barnyard you could have all
your sensors log in binary format and have a script scp everything off
the sensors to the analyst box. Then have barnyard process the files.
Several well documented solutions talk about this subject so I am not
going to reproduce it. This would allow you to place a sensor anywhere
and use SSH as the tunnel. If you really wanted to get crazy you could
use TCPDump and scp the raw traffic but that would not be efficient
unless you wrote some good filters. The Shadow IDS project is based
around TCPDump and the above method. It is how I got started with it
and a good place to begin.

Also check out Bill Stearns' SSH-Keyinstall. This app takes almost all
the head-ache out of SSH-key based authentication for scripts.

Some great resources:
http://www.stearns.org/ssh-keyinstall/
Bill Stearns' SSH-Keyinstall

http://sguil.sourceforge.net/
Great front end

http://www.sans.org/rr/catindex.php?cat_id=30
Great source of papers on IDS

http://www.nswc.navy.mil/ISSEC/CID/
Shadow IDS Home Page

Mileage may vary and these are my opinions ;)

Respectfully,
Rich




More information about the Snort-users mailing list