Snort mailing list archives
Re: Multi Snort Clients
From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Thu, 27 Jan 2011 11:52:07 -0500
On Fri, Jan 28, 2011 at 05:40:45AM +1300, Ahmed Qaisi wrote:
Hi all, I'm doing my masters in multiple entities systems. One category of these entities is multiple IDSs (Snorts). Now, I have three IDS machines (clients) in three different sub nets. I want to be able to send all possible snort logs from these clients through the network to a particular (fourth ) machine (server). Can you please point me to the right direction?
There's multiple ways to do this, and I'm sure there are plenty of people on the list that'll have ideas. I don't know of any direct documentation, but I might be able to point you in the right direction. The way I've done it is to have the three "sensors" report to the server via Barnyard2/SQL. You then just have to figure out how you want the database(s) to be setup. That is, one database for all sensors - Which will show in in the DB as seperate sid's (Sensor ID's), or 3 databases with one sensor ID per-sensor. It largely depends on how you want the database to be stored/accessed. What I'd advise is you setup a sensor with Snort/Barnyard2/SQL (MySQL/PostgreSQL/whatever) and go from there. That is, do _one_ sensor so you can understand _how_ Snort logs to the backend. Once you understand that, you can go from there. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL.
Attachment:
_bin
Description:
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multi Snort Clients Ahmed Qaisi (Jan 27)
- Re: Multi Snort Clients Ahmed Qaisi (Jan 27)
- Re: Multi Snort Clients Ray Caparros (Jan 27)
- Re: Multi Snort Clients Champ Clark III [Softwink] (Jan 27)