Snort mailing list archives
Re: Best way to deploy snort
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 06 Apr 2010 13:48:24 -0500
--On Tuesday, April 06, 2010 09:51:40 +0800 Kum Weng Luey <kumwengluey () gmail com> wrote:
Hi all, I was wondering what would be the optimal setting to deploy snort with base and barnyard.
1) Don't use barnyard. Use barnyard2.
I am thinking of separating the mysql database from snort itself and place it on a remote server.
That's up to you. Either way will work. Depending upon how much horsepower your box has (cpu and memory) snort and mysql can coexist on the same box.
I am wondering do I need to have an additional interface for snort ? One interface for sniffing and the other to push alerts to the mysql server.
Yes. Once interface for passive sniffing, and one interface for management of the box. It doesn't matter if mysql is local or remote. You will still need two interfaces.
One last question: Would snort be better off being placed in the DMZ to sniff incoming traffic or within the internal LAN between the router and the firewall.
That depends entirely upon your network topology and what you want to monitor. Snort will "see" whatever traffic passes its passive interface. What traffic that is depends upon what you are trying to accomplish. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best way to deploy snort Kum Weng Luey (Apr 05)
- Re: Best way to deploy snort Glenn English (Apr 05)
- Re: Best way to deploy snort Paul Schmehl (Apr 06)
- Re: Best way to deploy snort Kum Weng Luey (Apr 06)