Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best way to deploy snort

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 06 Apr 2010 13:48:24 -0500
--On Tuesday, April 06, 2010 09:51:40 +0800 Kum Weng Luey 
<kumwengluey () gmail com> wrote:


Hi all,

I was wondering what would be the optimal setting to deploy snort with base
and barnyard.


1) Don't use barnyard.  Use barnyard2.


I am thinking of separating the mysql database from snort
itself and place it on a remote server.


That's up to you.  Either way will work.  Depending upon how much horsepower 
your box has (cpu and memory) snort and mysql can coexist on the same box.


I am wondering do I need to have an
additional interface for snort ? One interface for sniffing and the other to
push alerts to the mysql server.


Yes.  Once interface for passive sniffing, and one interface for management of 
the box.  It doesn't matter if mysql is local or remote.  You will still need 
two interfaces.



One last question: Would snort be better off being placed in the DMZ to sniff
incoming traffic or within the internal LAN between the router and the
firewall.



That depends entirely upon your network topology and what you want to monitor. 
Snort will "see" whatever traffic passes its passive interface.  What traffic 
that is depends upon what you are trying to accomplish.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: