[Snort-users] Rebuilding the wheel

Doug Burks doug.burks at ...11827...
Fri Dec 21 13:08:35 EST 2012

On Wed, Dec 19, 2012 at 12:06 PM, Mike Miller <mike at ...16027...> wrote:
> I have a specific set of implementation requirements and have been away from Snort long enough that I figured I'd ask before rebuilding the wheel (as fun as that initially sounds)
> six or so years ago, we had a 14 IDS infrastructure that bubbled it's results up to a Qradar box. The sensors were originally Gentoo boxes and worked well, but required a pretty serious investment in Gentoo to keep them running. They were also ONLY snort boxes. Sure, you could hop on them and run a TCPdump, but they were one trick ponys...also importantly: they were on the outside interface, meaning they didn't see NATTed traffic.
> I've used AlienVault and Security onion, and they are both more, and less than I want. I'm having issues with dropped packets on one of the first boxes, and it seems to be kernel related (fiber intel e1000 card on a HUGE DL585, 8 core, 32 Gb RAM, 1 gig feed). I'm still digging into compiling PF_ring support on a 2.8 kernel.

Hi Mike,

Please try our new Security Onion 12.04 RC1 as it already has PF_RING included:

> Alienvault seemed to be doing too much, I don't need the bells and whistles, and Security Onion seems hell bent to record every single packet, which is great in an analyst box, but it's hell to tune.

Yes, Security Onion does full packet capture by default.  You can
disable it if you wish, but it provides tremendous forensic

> What I'm looking for is automation to roll out and manage a box that does IDS stuff and receives syslog feeds to give visibility...from 22+ locations.

Security Onion can receive syslog feeds and store them in ELSA, a
central web interface similar to Splunk, but free.

If you have further questions about Security Onion, please feel free
to use our mailing lists:

Hope that helps!

Doug Burks

More information about the Snort-users mailing list