[Snort-users] How to handle multiple snort sensors

Shirkdog shirkdog at ...11827...
Fri Aug 1 12:09:28 EDT 2014


For salt and CFEngine (which is my choice), you can create files and
templates and ENFORCE the snort configuration to achieve change management.
You can start with a default template and add in any specific filters or
changes you require.

With any configuration management, it should be something you are
comfortable with as you will have to support it.
On Aug 1, 2014 12:04 PM, "Jaime Nebrera" <jnebrera at ...16842...> wrote:

> Hi Robert,
>
> While with some work you could customize some open source configuration
> manager like Puppet, Chef or Salt to do this job (as Doug already
> suggested), the reality is you would still miss quite a bit of stuff in
> Snort specifics management as well as easiness.
>
> In the open source realm there are quite a bit of event management
> solutions designed for Snort, Snorby being probably the most known and
> popular.
>
> But the management side is still missing that traction (IMHO)
>
> This is why we created redBorder.org project, under sponsorship of a big
> client to manage a 100s sensor deployment
>
> Version 2.2.28 is available for free in the website but it's SQL base and
> some design considerations done early in the project limit it's
> scalability.
> This is why I would suggest you to play with it but way till mid September
> the 3.0 version will be made public.
>
> It's new bigdata based backend as well as some SQL revamp hope will
> establish a powerful record in this area
>
> What's even more important, while still open source as prior version, we
> will upload it to GitHub, hoping to foster a strong community around it
>
> From the management side you have quite a bit of control of the different
> configuration files (Chef recipes are used underneath), full rules
> workflow, user roles, auditing, etc. The type of stuff you would expect
> from a professional management solution
>
> Another important point is the dismiss of direct SQL event injection.
> Replacing it with an Apache Kafka bus, we are now able to add real
> intelligence in the environment. This is not ready yet, but think in data
> enrichment stuff (geo location, reputation,...), anomaly detection and
> correlation rules
>
> We believe this will be our biggest contribution to Snort community so
> far. We have already done things for SNMP monitoring, kafka, reputation,
> DAQ, etc all available in our GitHub repository, and of course 2.2.28 but
> we believe 3.0 version will be a huge step in favor of open source around
> our loved Snort.
>
> Of course, in the proprietary realm this changes quite a bit, but that's a
> fully different ball game.
>
> PS.- If not evident by my email, my company develops redBorder :)
> El 01/08/2014 16:57, "Robert Millott" <robm at ...16885...>
> escribió:
>
>> All
>>    I am setting up about 35 snort sensors across our network, all feeding
>> back into a SEIM (arcsight).  I was curious, how does anyone else out there
>> handle multiple sensors?  I am looking for a way to quickly (and centrally)
>> view snort.conf, threshold.conf, bpf filters, rules enabled or disabled etc
>> without having to ssh into each individual host.  I know pulled pork will
>> handle pulling rules, but I am looking around to see if any one has a means
>> of managing many sensors.
>>
>> Thanx
>>
>> --
>> Robert Millott
>> President, Millott and Associates
>> (443) 255-3588
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140801/903e6178/attachment.html>


More information about the Snort-users mailing list