[Snort-users] Rebuilding the wheel

Tony Robinson deusexmachina667 at ...11827...
Thu Dec 27 18:27:31 EST 2012


I feel so loved for having autosnort mentioned :-). Autosnort still has a
bit of work before it can do what you ask,  but the next project milestone
is to have autosnort present a syslog only option for deployments like this
so snort can easily integrate into a siem solution and just give you alerts.

Other alternatives for you would be to utilize a configuration management
solution for linux like puppet, chef or spacewalk

Build out a single sensor and use that as a deployment template for your
other sensors

Hope this helps.
On Dec 21, 2012 2:55 PM, "Y M" <snort at ...15979...> wrote:

> Besides Security Onion, you may want to take a look at Autosnort for
> automating the build of a Snort box:
> Blog: http://autosnort.blogspot.com/
> Scirpts: http://snort.org/docs
>
> > From: mike at ...16027...
> > Date: Wed, 19 Dec 2012 10:06:25 -0700
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Rebuilding the wheel
> >
> > I have a specific set of implementation requirements and have been away
> from Snort long enough that I figured I'd ask before rebuilding the wheel
> (as fun as that initially sounds)
> >
> > six or so years ago, we had a 14 IDS infrastructure that bubbled it's
> results up to a Qradar box. The sensors were originally Gentoo boxes and
> worked well, but required a pretty serious investment in Gentoo to keep
> them running. They were also ONLY snort boxes. Sure, you could hop on them
> and run a TCPdump, but they were one trick ponys...also importantly: they
> were on the outside interface, meaning they didn't see NATTed traffic.
> >
> > I've used AlienVault and Security onion, and they are both more, and
> less than I want. I'm having issues with dropped packets on one of the
> first boxes, and it seems to be kernel related (fiber intel e1000 card on a
> HUGE DL585, 8 core, 32 Gb RAM, 1 gig feed). I'm still digging into
> compiling PF_ring support on a 2.8 kernel. Alienvault seemed to be doing
> too much, I don't need the bells and whistles, and Security Onion seems
> hell bent to record every single packet, which is great in an analyst box,
> but it's hell to tune.
> >
> > What I'm looking for is automation to roll out and manage a box that
> does IDS stuff and receives syslog feeds to give visibility...from 22+
> locations.
> >
> >
> >
> ------------------------------------------------------------------------------
> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> > Remotely access PCs and mobile devices and provide instant support
> > Improve your efficiency, and focus on delivering more value-add services
> > Discover what IT Professionals Know. Rescue delivers
> > http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121227/bf5f39b6/attachment.html>


More information about the Snort-users mailing list