Snort mailing list archives
Re: what would be the appropriate thing to do?
From: "Onie Camara" <neil () restricted dyndns org>
Date: Thu, 4 Apr 2002 23:38:50 -0600
Hi Sandro, Thanks for the idea. I've got a question though on barnyard. This means that logging from branch site to main site via barnyard will not be realtime, am I correct? Is there any equivalent parameter of unified logging in the command line? ----- Original Message ----- From: "Poppi, Sandro" <Sandro.Poppi () wacker com> To: "'Onie Camara'" <neil () restricted dyndns org>; <Snort-users () lists sourceforge net> Sent: Thursday, April 04, 2002 11:10 PM Subject: AW: [Snort-users] what would be the appropriate thing to do?
I'm in the same situation right now. I thought of using the following szenario: - let snort use the unified output plugin - use barnyard to send the data to a central mysql database - use stunnel to encrypt the barnyard-db connection With this configuration there shouldn't be a performance issue with snort because snort only logs locally. What could be a perfomance issue is when there are a lot of alerts to be sent to the db and the wan line is already busy, but that's another question. I will test that hopefully soon in my lab. Any comments? BTW, the barnyard homepage is http://sourceforge.net/projects/barnyard HTH, SandroOk. Assuming I have setup many sensors on the main ofc and few more sensors on another branch. These sensors logs to mysql db. On the branch site, it does not log to mysql located in the main ofc. I recall a post that someone mentioned about rsync but I couldnt remember how it was used. 1. Would it be a good idea to configure branch site to log to the main site? I'm seeing performance degradation here as it will use the wan connection. 2. In just one site, say main ofc, is it a good idea to configure the sensors to log to a main mysql server? 3. What would be the best design of snort if I will install if the network is Enterprise. Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: what would be the appropriate thing to do? Poppi, Sandro (Apr 04)
- Re: what would be the appropriate thing to do? Onie Camara (Apr 04)
- <Possible follow-ups>
- AW: what would be the appropriate thing to do? Poppi, Sandro (Apr 04)
- Re: what would be the appropriate thing to do? Onie Camara (Apr 04)
- AW: what would be the appropriate thing to do? Poppi, Sandro (Apr 04)
- maxsize of mysql db? Onie Camara (Apr 04)
- Re: maxsize of mysql db? Chris Adams (Apr 14)
- maxsize of mysql db? Onie Camara (Apr 04)