Home page logo
/

snort logo Snort mailing list archives

Re: Snort Architecture and Managment
From: Jaime Nebrera <jnebrera () eneotecnologia com>
Date: Fri, 31 May 2013 13:42:26 +0200

  Hi Shane,

I would suggest you give a look to www.redBorder.net project as it includes all the features you are seeking for (as well as some extras), all under open source license. In particular:

1) Provides a central point of event storage through Barnyard2 as you suggest 2) Provides a central point to view such events and work with them. Originally based in Snorby, currently adds many features in this area, spcially when considering multi tenancy environments
  3) Provides a rule management system as well as SNMP monitoring framework

Current coomunity release is 2.2.24 but we hope to make public 2.2.28 very soon

It also contains a high performance probe with specific enhancements for Snort working on top of pf_ring. Still, we are aware of users employing their own sensor system and still use the manager side.

I currently have several Snort sensors spread across the world at different sites. Each sensor runs independently of the others; it's the basic Snort dumping to MySQL and an ArcSight connector pulling from the DB and shoveling the alerts into ArcSight. We support a growing 10K plus rule set. So each sensor has its own copy of Snort, MySQL and ArcSight Connector running. We are about to roll out many more sensors and this approach is not manageable so it needs to be re-architected and I'm looking for any and all suggestions from those who are already doing more.

I'm going to implement Barnyard2 unless someone has a reason why I should stick with Barnyard.

My plan is to have each sensor only running Snort and Barnyard2 and dumping to two managers (for redundancy). The managers will be running MySQL and the ArcSight connector will be running on a separate server and pulling from the DB. This way I only have to manage two databases and two connectors. I would also like to add a GUI so I was considering BASE to give my analysts a more robust tool to go through alerts and do some reporting.

Questions

1.I'm currently running RedHat but am fluent in any flavor of Linux. Which is the most widely support OS for Snort and snort related apps? It seems like CentOS is very popular among Snort users.


Our sensors are based on Centos 6.x but you are open to use others (requires some work on your side though)

2.Is there a way I can cache events on the sensors temporarily if the connection is lost between the sensor and the manager?


  BY2 already includes that but is very important to use a recent release

3.Are there better options for a GUI than BASE, I would even consider running two if there was enough value in both.


  As said, redBorder :D

4.I'm looking for management tools for the sensors and the rules that I can run from the managers.


  Too

5.Any suggestions for managing large rules sets instead of one flat file.


  Idem

If I'm going to redo this thing I want to do it right.


In future release we hope to extend this model to use a kafka based messaging system and BigData "type" event management, but this is not ready yet.

This software is being used in environments with more than 100 sensors centrally managed, but is just a matter of hardware to scale even further

  Enjoy

PS.- I work for the company developing redBorder

--
Jaime Nebrera - jnebrera () eneotecnologia com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]