[Snort-users] Rebuilding the wheel
mike at ...16027...
Wed Dec 19 12:06:25 EST 2012
I have a specific set of implementation requirements and have been away from Snort long enough that I figured I'd ask before rebuilding the wheel (as fun as that initially sounds)
six or so years ago, we had a 14 IDS infrastructure that bubbled it's results up to a Qradar box. The sensors were originally Gentoo boxes and worked well, but required a pretty serious investment in Gentoo to keep them running. They were also ONLY snort boxes. Sure, you could hop on them and run a TCPdump, but they were one trick ponys...also importantly: they were on the outside interface, meaning they didn't see NATTed traffic.
I've used AlienVault and Security onion, and they are both more, and less than I want. I'm having issues with dropped packets on one of the first boxes, and it seems to be kernel related (fiber intel e1000 card on a HUGE DL585, 8 core, 32 Gb RAM, 1 gig feed). I'm still digging into compiling PF_ring support on a 2.8 kernel. Alienvault seemed to be doing too much, I don't need the bells and whistles, and Security Onion seems hell bent to record every single packet, which is great in an analyst box, but it's hell to tune.
What I'm looking for is automation to roll out and manage a box that does IDS stuff and receives syslog feeds to give visibility...from 22+ locations.
More information about the Snort-users