Re: [Sguil-users] sguil architecture questions
Status: Beta
Brought to you by:
bamm
From: ScottO <ski...@gm...> - 2007-04-27 11:10:07
|
Roman Daszczyszak wrote: > Well, after finding the architecture description in the sguil wiki, > I've got some answers to the questions below. Please check them over > and correct me if needed; I just want to know if I'm following this > correctly. > > On 4/27/07, Roman Daszczyszak <rom...@gm...> wrote: >> I am trying to monitor a 1Gb full-duplex link via a network tap, as >> you all know. >> >> My understanding of sguil is that there are these parts: >> 1. Snort and Barnyard handling alert generation > Okay, so Snort handles alert generation, and Barnyard inserts the > alerts into the MySQL database. > Actually, Snort logs unified output, Barnyard reads this and passes it the the Sguil Sensor Agent, who then sends it to the Sguild Server and it inserts it into the Database. >> 2. Full packet logging via either snort or some other application >> 3. A mysql database to store alerts? or is it storing the full packet >> capture information? > My understanding is that the MySQL database only stores alert and > session data, not the full packet capture data. Is this correct? > > If so, how does sguil query for the full packet data? If not, what am > I misunderstanding? When an analyst requests full content data from the Sguil Client, the Sguild Server asks the Sguil Sensor Agent on the appropriate sensor for the corresponding piece of that full content file, that resulting pcap ends up on your client machine. > >> 4. The sguild server daemon > Does this sit on the server with the database? Yes, it can. The Sguild Server is what all Sguil Sensor Agents and Sguil Clients communicate with. > >> 5. The sguil client >> >> My question is, how can I organize these for optimal performance? I >> have the option of either colocating everything on one server, minus >> the client, or splitting them up between 2 or 3 servers. > This is still my question. I'm curious where people have had the most > trouble, performance-wise, with their sguil architecture. > I never combine everything. Separate your Sguil Server(s) from your Sguil Sensor(s). In my case, I ended up setting up a few Sguil Servers, and have various sensors report to them. The upside is that it is speedier on queries, the downside is that I have to separately connect to various Sguild Servers - and do any additional correlation a different way. >> Do I set up snort and barnyard on one server, with the database on >> another co-located with the sguild server daemon? >> Is another server required that just does packet logging, given the >> high-bandwidth link? I am logging the entire packet (1515 on >> Ethernet). How does sguil obtain the full packet capture data from the >> packet logging server without affecting capturing performance? > I'm still curious how this works.. so if anyone can lend me a clue, > I'd appreciate it. > > Thanks, > Roman > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > |