[Snort-users] Rebuilding the wheel

Mike Miller mike at ...16027...
Mon Jan 7 11:22:23 EST 2013

(Sorry it took so long to get back to you, I found this buried in my Drafts folder)

I like Security Onion, a lot, but it's kinda geared to less traffic than I'm expecting. Figure two Perimeter 10 gig feeds, and a couple hundred internal firewall interfaces that need monitoring. It's a Statewide consolidated network. 

> Yes, Security Onion does full packet capture by default.  You can
> disable it if you wish, but it provides tremendous forensic
> capability.

I agree wholeheartedly...except where the pipe is running at Gig speeds and the firewall is averaging 150 MBps. I shudder to think what the hardware requirements would be at our ASA 5580's. 

>> What I'm looking for is automation to roll out and manage a box that does IDS stuff and receives syslog feeds to give visibility...from 22+ locations.
> Security Onion can receive syslog feeds and store them in ELSA, a
> central web interface similar to Splunk, but free.

I will look into this. 

> If you have further questions about Security Onion, please feel free
> to use our mailing lists:
> http://code.google.com/p/security-onion/wiki/MailingLists

> Hope that helps!
> Thanks,
> --
> Doug Burks
> http://securityonion.blogspot.com

More information about the Snort-users mailing list