[Snort-users] Central Server
bbice at ...3506...
Thu Nov 17 10:23:10 EST 2016
Look under "3rd Party Projects". There's a bunch of different
things there but some of 'em are related to what you're after. In
particular, you'll want barnyard2 (to read the snort unified files and
then log to one or more central systems) and maybe snorby.
I used snorby until recently. I'd upgraded barnyard2 (for better
syslog'ing of snort stuff), then found snorby was having problems. I
grabbed a newer snorby which was going to need a newer ruby and the
newer ruby had other pre-reqs and I was going to wind up having to
upgrade the entire OS of my snorby server.
Anyway, at that point, I tossed snorby just because I had a new
alternative. I'd recently built a distributed log server on
elasticsearch and kibana (which was why I wanted the newer barnyard2)
and now I just use kibana and my dandy new log system to look through
snort alerts. The log system isn't really packaged up 'n polished yet
(the syslog daemon written in NodeJS is somewhat SGI-specific still) or
I'd spin up a site for it and ask it to be added to the 3rd party list
but for the curious, take a peek at:
https://www.youtube.com/watch?v=NW9-AgmUi_o (skip to 1:40 if you want to
skip to where I used it to find a bot-infection start)
Skip to 8:10 if you want to see just snort-related stuff.
Anyway, I point all that out only to encourage you to consult google
also. With Barnyard2 there's LOTS of options for what you can do with
the snort alerts and how to store them and LOTS of options for then
analyzing/searching those alert stores. Different people will have
different ideas of what options are important to them so I'd recommend
trying several out before you decide which one (or maybe more than one)
will be the best for your needs.
On 11/16/2016 10:08 PM, Eric J. Taylor wrote:
> Good day,
> Hope all is well with everyone. New to sort and the ids/ips world, but
> looking forward to have more secure network(s).
> I hope this is a easy answer to my question today. Been reading through
> the docs, and I see no mention about having a central server for
> multiple loctions. The locations are not joined in any fashion, as in
> seperate companies all together. If I was put a central snort box and
> connect the firewalls (mostly mikrotik) to the central server, is there
> any special gotchas or considerartions I need to review? I also don't
> know how much traffic is really sent over the WAN for analisis either.
> As a couple of sites use the same subnet schema, I will have to consider
> some changes at the locations to support IPSec from remote site to
> central server; if IPSec between locations is recommended.
> And please, if I am over looking this part in the documents please point
> me to it as I don't see it currently.
> Thanks in advance for your time and helpfulness as I try to figure this
> puzzle out.
> P.S. Any grammar or humorous statements is courtesy of Android.
> Eric Taylor
> Owner | Veterinary IT Support Specialist
> 800-324-9941 x1005
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users