[Sguil-users] sguil architecture questions
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
[Sguil-users] sguil architecture questions
|
From: Roman D. <rom...@gm...> - 2007-04-27 08:25:31
|
I am trying to monitor a 1Gb full-duplex link via a network tap, as you all know. My understanding of sguil is that there are these parts: 1. Snort and Barnyard handling alert generation 2. Full packet logging via either snort or some other application 3. A mysql database to store alerts? or is it storing the full packet capture information? 4. The sguild server daemon 5. The sguil client My question is, how can I organize these for optimal performance? I have the option of either colocating everything on one server, minus the client, or splitting them up between 2 or 3 servers. Do I set up snort and barnyard on one server, with the database on another co-located with the sguild server daemon? Is another server required that just does packet logging, given the high-bandwidth link? I am logging the entire packet (1515 on Ethernet). How does sguil obtain the full packet capture data from the packet logging server without affecting capturing performance? |