Re: Rebuilding the wheel

[Mike Miller <mike () millertwinracing com>]

I've actually been playing with auto snort while on Xmas vacation....runs,
completes, reboots, then...well that's as far as be gotten...there isn't a
snort process, and I can't reach the stats web page. (CentOS) but honestly.
That was where I was at about two hours ago when I got distracted. I'll
look back into it in a little bit.

On Thursday, December 27, 2012, Tony Robinson wrote:

> I feel so loved for having autosnort mentioned :-). Autosnort still has a
> bit of work before it can do what you ask,  but the next project milestone
> is to have autosnort present a syslog only option for deployments like this
> so snort can easily integrate into a siem solution and just give you alerts.
>
> Other alternatives for you would be to utilize a configuration management
> solution for linux like puppet, chef or spacewalk
>
> Build out a single sensor and use that as a deployment template for your
> other sensors
>
> Hope this helps.
> On Dec 21, 2012 2:55 PM, "Y M" <snort () outlook com> wrote:
>
> Besides Security Onion, you may want to take a look at Autosnort for
> automating the build of a Snort box:
> Blog: http://autosnort.blogspot.com/
> Scirpts: http://snort.org/docs
>
> > From: mike () millertwinracing com
> > Date: Wed, 19 Dec 2012 10:06:25 -0700
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Rebuilding the wheel
> >
> > I have a specific set of implementation requirements and have been away
> from Snort long enough that I figured I'd ask before rebuilding the wheel
> (as fun as that initially sounds)
> > six or so years ago, we had a 14 IDS infrastructure that bubbled it's
> results up to a Qradar box. The sensors were originally Gentoo boxes and
> worked well, but required a pretty serious investment in Gentoo to keep
> them running. They were also ONLY snort boxes. Sure, you could hop on them
> and run a TCPdump, but they were one trick ponys...also importantly: they
> were on the outside interface, meaning they didn't see NATTed traffic.
> > I've used AlienVault and Security onion, and they are both more, and
> less than I want. I'm having issues with dropped packets on one of the
> first boxes, and it seems to be kernel related (fiber intel e1000 card on a
> HUGE DL585, 8 core, 32 Gb RAM, 1 gig feed). I'm still digging into
> compiling PF_ring support on a 2.8 kernel. Alienvault seemed to be doing
> too much, I don't need the bells and whistles, and Security Onion seems
> hell bent to record every single packet, which is great in an analyst box,
> but it's hell to tune.
> > What I'm looking for is automation to roll out and manage a box that
> does IDS stuff and receives syslog feeds to give visibility...from 22+
> locations.
> >
> ------------------------------------------------------------------------------
> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> > Remotely access PCs and mobile devices and provide instant support
> > Improve your efficiency, and focus on delivering more value-add services
> > Discover what IT Professionals Know. Rescue delivers
> > http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on a
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!