[Sguil-users] sguil deployment questions
Status: Beta
Brought to you by:
bamm
From: James A. <jam...@ya...> - 2006-07-04 00:20:09
|
Hi, Joe. Quick observation: sensor output should be UNIFIED logging. Full content gets to the client as follows: analyst right-clicks on a sid-cid and selects transcript or ethereal. That sends a request through the sguild server, which asks for the right data from the sensor. sguild keeps a copy in an archive directory (on my sguild box, /var/sguild_data/archive/<date>/<sensor-name>) and forwards to the client. Your setup seems pretty sound to me. Definitely put most of the storage with the sensors. Sguil will do log rotation for you, so you'll automatically get to keep however many days of full content you have room for. One thing: have a cron job restart log_packets.sh as often as you need to keep the pcaps below 1 gig. I do so every 15 mins. No clues about gigamon. > > Message: 2 > Date: Mon, 03 Jul 2006 15:18:13 -0700 > From: Joe <js....@gm...> > Subject: [Sguil-users] sguil deployment questions > To: sgu...@li... > Message-ID: <44A...@gm...> > Content-Type: text/plain; charset=ISO-8859-1; > format=flowed > > I wish to deploy sguil in my production environment. > I've read/heard > that if I am going to setup a distributed sguil > environment, that I > should setup my boxes this way: > > > Sguil Sensor HW > ----------------------------- > 2x CPU > 4GB RAM > 1.8 TB (6x 300GB U320 SCSC) > OS: OpenBSD 3.9 > > * Snort will detect from a bridged interface. > * Snort will write alerts to binary logfile. > * Barnyard will read binary logfile and write alert > data to sguildb > * SANCP will capture session data and write to the > sguildb > * Log_packets.sh capture full content data and write > to 1.5 TB partition. > > QUESTION: How does the analyst view the full content > data on the sguil > sensor? Does this data get queried by the sguil > server? > > I plan to build 4 sensors like this. I've been told > that the box with > the most disk space should be the sensor. One box > will see 300-400MB/s > Although I might be able to split this load up using > one of these new > boxes from Gigamon. See question about this below. > > > > Sguil Server (+database) > ----------------------------- > 2x CPU > 4GB RAM > 300 GB > > Configuration: > Will run the Sguil server and database. > > * Will store snort alert data and sancp session data > from the sensors in > the database. > > Does this configuration sound ideal? > Any comments/suggestions? > > > > > Also, one last thing. Has anyone heard of Gigamon? > There is a new > startup here in San Jose, CA called Gigamon. They > make a device that > aggregates traffic from taps. From what I can see, > these devices will > aggregate the multiple streams from taps and can > send traffic to > different monitoring ports. Theoretically, I could > have multiple sensors > monitoring different parts of a busy link. I would > still have to > purchase taps, but not the aggregation type. The > aggregation is done on > the gigamon box. Then I can monitor all or parts of > the traffic to > various monitor ports. > > I'm going to visit with them next week to see this > in action. > > > > > > > > > > > > ------------------------------ > > Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > ------------------------------ > > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > End of Sguil-users Digest, Vol 2, Issue 1 > ***************************************** > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |