[Sguil-users] some basic sguil questions
Status: Beta
Brought to you by:
bamm
From: Sean M. <sea...@gm...> - 2006-07-07 07:52:16
|
Hello everyone, After reading "The Tao of Network security monitoring" I have decided to implement sguil on solaris 9 to replace our current dragon ids. I have compiled or downloaded from sunfreeware the various parts on my test box tcpdump ethereal p0f tcpflow ntop snort barnyard my next question is what needs to go where ? on the sensor I know I need snort and barnyard and the sguil sensor bits I am using ActiveTcl on solaris (is this a "bad thing" ?). do I also need p0f and tcpflow on the sensor or only on the server ? on the server I need tcl mysql etc do I need p0f and tcpflow and ethereal there too ? I have had a look at the demo sguil server so I think my client workstation has the required bits and pieces my other question is: what else do I need to manage my snort deployment ? I assume I need some method to get and download new signatures (oinkmaster ? ) do I need anything else to manage the sensor settings (ids center ?)? my longer term plan is to feel these events into some sort of correlation product (we current use Tivoli Risk Manager, but I am hoping to get some micromuse products to try out now IBM has bought them. I have tried to read the available documentation so I hope my questions dont seem to silly thanks for your time Sean PS btw if anyone has any suggestions/experiences with dragon that will help to justify my position to my management let me know :) as I need to write a proposal as to why I want to change products. |