mailing list archives
Re: Snort Architecture and Managment
From: Jaime Nebrera <jnebrera () eneotecnologia com>
Date: Fri, 31 May 2013 13:45:49 +0200
On 31/05/13 04:17, Steven McLaughlin wrote:
I am currently working on developing a scale architecture like
yourself so I can give you input from my experience.
I prefer the Snorby front end myself if you are looking for a GUI.
I've used BASE before which is also very good. Have you also had a
look at Squert/Sguill
Am also using barnyard2 for spooling and CentOS is also my favorite
As far as caching the events in the event of an outage I think by2 is
your best option. It uses a waldo bookmark file for the very purpose
of knowing where it last left off with the unified2 files. However I
would be interested to hear the best place to run by2 (either on the
sensor node or the DB node?) The thing with by2 is that you have to
specify an input folder so would require a remote folder mount if NOT
the on same box as sensor.
But if by2 was running on the same box of the sensor, will it also put
a hold on processing if the connection to the SQL DB goes down? That
is something I would like to know?
By2 does recover from database going down, but you need to use a
recent version. We have experienced trouble with older ones in this
case. In the meantime, events are just pooled
Of course, our proposal would be to test the kafka plugin we open
sourced (http://redborder.net/barnyard2_kafka_plugin/) but right now is
alpha quality at best
Jaime Nebrera - jnebrera () eneotecnologia com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!