[Snort-users] Automation tools to manage NIDS servers?
jnebrera at ...16842...
Sat Jan 31 09:28:31 EST 2015
If you want to manage a big sensor base and don't mind to work from CLI and
text files either Chef or Puppet or Salt or any of those is a great choice
If you want to view events, the most popular at this moment would be Snorby
but has significant scalability issues
Tools like Security Onion combine many of this in a ready to go system, in
particular I believe they use Snorby for event management and Salt for
But all this tools lack enterprise type requirements (user roles, auditing,
hierarchical environments, etc) and lack a powerful policy or rule
Please, allow me to suggest our project, redBorder.net / org. Originally
based in Snorby, has been enhanced since early days to fully replace it's
code base with big data technology.
In essence, we store events in Hadoop and an OLAP engine after processing
them through an Apache Kafka service bus. While not available yet, we are
working on an intelligence layer based on Apache Storm for data enrichment,
mining and correlation
Probe management is done through an underlying Chef system, but is fully
Web based. There is also a very powerful policy management system
At this moment is limited to manage our own probes only but we are working
on a more general release able to manage any barnyard2 / snort type rules
environment (this includes Suricata for example)
I hope Community release will be made public in about two weeks. Current
public code base is SQL based and honestly, has nothing to compare to
current codebase. I strongly suggest waiting those two weeks.
Community release is fully open source (Affero GPL) and available for free.
I'm not going to discuss in this list about the Enterprise release.
We really hope this project will foster a great open source intelligence
community alongside Snort.
El 29/01/2015 18:50, "Bryan Arenal" <b.arenal at ...11827...> escribió:
> I was wondering what automation tools people use to manage their NIDS
> servers. My group uses puppet for other types of boxes but I haven't
> used it for my boxes.
> Before I go down that path, I was just curious if there's something
> better that others prefer.
> Thanks for any suggestions!
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users