Snort mailing list archives

Re: Snort Architecture and Managment

From: Jaime Nebrera <jnebrera () eneotecnologia com>
Date: Fri, 31 May 2013 13:45:49 +0200

On 31/05/13 04:17, Steven McLaughlin wrote:

Hi Shane,

I am currently working on developing a scale architecture like 
yourself so I can give you  input from my experience.

I prefer the Snorby front end myself if you are looking for a GUI. 
I've used BASE before which is also very good. Have you also had a 
look at Squert/Sguill

Am also using barnyard2 for spooling and CentOS is also my favorite 
snort platform.

+1


As far as caching the events in the event of an outage I think by2 is 
your best option. It uses a waldo bookmark file for the very purpose 
of knowing where it last left off with the unified2 files. However I 
would be interested to hear the best place to run by2 (either on the 
sensor node or the DB node?) The thing with by2 is that you have to 
specify an input folder so would require a remote folder mount if NOT 
the on same box as sensor.

But if by2 was running on the same box of the sensor, will it also put 
a hold on processing if the connection to the SQL DB goes down? That 
is something I would like to know?


   By2 does recover from database going down, but you need to use a 
recent version. We have experienced trouble with older ones in this 
case. In the meantime, events are just pooled

   Of course, our proposal would be to test the kafka plugin we open 
sourced (http://redborder.net/barnyard2_kafka_plugin/) but right now is 
alpha quality at best

   Regards

-- 
Jaime Nebrera - jnebrera () eneotecnologia com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Architecture and Managment Morris, Shane (US SSA) (May 30)
- <Possible follow-ups>
- Re: Snort Architecture and Managment Steven McLaughlin (May 30)
  - Re: Snort Architecture and Managment Jaime Nebrera (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Jaime Nebrera (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)
- Re: Snort Architecture and Managment Joel Esler (May 31)
  - Re: Snort Architecture and Managment Morris, Shane (US SSA) (May 31)