Home page logo

snort logo Snort mailing list archives

Re: Snort Architecture and Managment
From: "Morris, Shane (US SSA)" <shane.morris () baesystems com>
Date: Fri, 31 May 2013 17:18:10 +0000

Thanks Joel, I appreciate it.

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Friday, May 31, 2013 11:23 AM
To: Morris, Shane (US SSA)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Architecture and Managment

On May 30, 2013, at 8:53 PM, "Morris, Shane (US SSA)" <shane.morris () baesystems com<mailto:shane.morris () baesystems 
com>> wrote:

1.       I'm currently running RedHat but am fluent in any flavor of Linux. Which is the most widely support OS for 
Snort and snort related apps? It seems like CentOS is very popular among Snort users.

Unfortunately we have no way of measuring that from the server side, but it appears that redhat/centos/fedora is 
probably the most widely used I think.

2.       Is there a way I can cache events on the sensors temporarily if the connection is lost between the sensor and 
the manager?

barnyard2 will retry it's connection if it goes down, so, yes.

3.       Are there better options for a GUI than BASE, I would even consider running two if there was enough value in 

Snorby seems to be the hottest thing right now, but I don't think it requires barnyard2.

4.       I'm looking for management tools for the sensors and the rules that I can run from the managers.

Aside from commercial/free-commercial solutions, there's really not a good one that I know of.

5.       Any suggestions for managing large rules sets instead of one flat file.

Pulledpork does a good job of managing ruleset with it's disable-sid.conf and enable-sid.conf, but everyone has a 
completely different use case.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]