Snort mailing list archives

RE: question on distributed snort collection

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 4 Jun 2003 15:18:37 -0500

I don't know about preferred yet.  How 'bout I let you know in a few months
:-)

Seriously, though, I'm going through similar issues now.  For the time
being, I'm having all sensors, where all is still a fairly small number in
my mind, report back to a single console for analysis.  While this means
that there's more stuff to dig through in order to find the really serious
alarms, it also means that I've got one-stop shopping and don't have to go
through fifteen different consoles to do my aggregation when I'm tracking
down a baddie.

Once again, this is still in the early phases, so I may change my mind when
I get my environment bigger.  Right now, my biggest issues are more
operational, like how do I keep patches up-to-date on boxes on the other
side of the International Date Line and where the nearest admin is 6 hours
away by plane and doesn't have an account on it.  Small stuff like that.

Jon

-----Original Message-----
From: Garrett.Allen () ser com [mailto:Garrett.Allen () ser com]
Sent: Wednesday, June 04, 2003 3:01 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] question on distributed snort collection


i've gotten the pink beastie stable and am getting useful info out.  so far,
so good.  now i would like to extend to remote locations.  is there a
preferred means of doing this?  flat vs. tiered mom (mom = monitor of
monitors)?  still in the planning phase and have time to test in the lab,
but any shortcuts / recommendations are appreciated.

thanks.
garrett



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

question on distributed snort collection Garrett . Allen (Jun 04)
- Re: question on distributed snort collection Bamm Visscher (Jun 04)
- <Possible follow-ups>
- RE: question on distributed snort collection Williams Jon (Jun 04)