Snort mailing list archives
Re: Distributed Snort possibility?
From: Kevin Ross <kevross33 () googlemail com>
Date: Sat, 11 Dec 2010 16:21:38 +0000
1) I would first put ones inside your network. I would advise behind any networks which go between you and the outside (i.e internet gateways). Doing this you will see stuff which is actually in your network. I would also advise using the emerginthreats.net rules to look for malware, botnet control traffic (with the IP lists) and so on. 2) Yes, just remember to bind mysql to the network address and create a user in mysql which can log into the mysql database from the remote sensor. Also use barnyard to actually write the alerts rather than have snort do it and have snort write the alerts in unified logs. That way the snort process doesn't have to spend time writing alerts to a database which would be even worse across the network so you will improve your sensor performance and drop less packets. 3) No assuming you mean can one sensor read the rules of another. What to do is have oinkmaster or pulledpork and use them to enable and disable rules based on the sid number. Then have a script run oinkmaster/pulled pork to download the rules and tune them so if the tuning is the same then all you have to think about is getting the oinkmaster.conf or pulledpork conf files onto other sensors for them to use. Also make sure you disable rules you are not using in the snort.conf files by the rule files and then tune from there. Also you can use threshold.conf to help tune out false positives on individual sensors or move that across (i.e if you have noisy internal/external hosts which you know are ok you can supress the alert. Hope that answers your question. Drop me an email if you need any help or more questions answered and I will do my best. Kevin On 11 December 2010 15:44, turki <turki_00 () yahoo com> wrote:
Hi I am new to Snort and I have these totally newbies questions: 1- Can Snort monitors remote network traffic. meaning Snort is installed in a local network and it needs to monitor/capture packets from remote network. is this possible? (I am not sure where should Snort sensor be installed in this case in the local network or in the remote network?) 2- If I have 2 separate machines in the same network, each run its own Snort. can they (both) log alerts into the same MySql db? (shared db for multiple Snort instances?) 3- same scenario as question 2 (above), can the two Snort machines share the same rules between them? Thank you, ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Distributed Snort possibility? turki (Dec 11)
- Re: Distributed Snort possibility? Kevin Ross (Dec 11)