Re: [Snort-users] Advice on IDS across WANS

> What can you people on this list advise so that i can read all logs
> from all 5 machines from a console machine in SiteA on the best secure
> way, and if possible with snort report.
>
You could use a barnyard solution. Using Barnyard you could have all
your sensors log in binary format and have a script scp everything off
the sensors to the analyst box. Then have barnyard process the files.
Several well documented solutions talk about this subject so I am not
going to reproduce it. This would allow you to place a sensor anywhere
and use SSH as the tunnel. If you really wanted to get crazy you could
use TCPDump and scp the raw traffic but that would not be efficient
unless you wrote some good filters. The Shadow IDS project is based
around TCPDump and the above method. It is how I got started with it
and a good place to begin.

Also check out Bill Stearns' SSH-Keyinstall. This app takes almost all
the head-ache out of SSH-key based authentication for scripts.

Some great resources:
http://www.stearns.org/ssh-keyinstall/
Bill Stearns' SSH-Keyinstall

http://sguil.sourceforge.net/
Great front end

http://www.sans.org/rr/catindex.php?cat_id=30
Great source of papers on IDS

http://www.nswc.navy.mil/ISSEC/CID/
Shadow IDS Home Page

Mileage may vary and these are my opinions ;)

Respectfully,
Rich


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users