Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with using 2 sensors

From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 08 Oct 2011 11:40:31 -0600


From:  Mike Boeckeler <boeckelr () gmail com>
Date:  Sat, 8 Oct 2011 13:03:04 -0400
To:  Snort <snort-users () lists sourceforge net>
Cc:  Kevin Ross <kevross33 () googlemail com>
Subject:  Re: [Snort-users] Problem with using 2 sensors

Hi Kev,

I'm glad that I asked that question, but unfortunately it leads to more
questions:  

1) Just so I know that we are on the same page....will doing all of this
allow me to successfully use 2 sensors...with one MySQL database and one
Base install?  

2)  Second, I was always under the impression that when setting up a Snort
sensor, in order to keep it stealthy you do not assign it an ip address.  If
that is the case, then how do I do what you suggest?  I mean, if I set up
eth1 as follows:  "ifconfig eth1 0.0.0.0", then what ip address do I have
MySQL bind to?  

3) Third - when I had Snort/BASE running last week (when it would only
report alerts on one sensor), I noticed that the amount of data shown in
BASE for each alert was kind of skimpy compared to the way it was when I had
it set up in the past.  So that leads me to output questions:

Should I use "output database: log...." or "output database: alert" if I
want to maximize what is captured by Snort/MySQL.

And in Barnyard2.conf should I use "output alert_fast" or "output
alert_full"?

I have looked for the answers to all of these questions - I get conflicting
info on them.  One more thing - If I can ever get this set up successfully,
I am going to write a config guide and submit it to Snort.org - I have
looked thru all of the guides that are currently posted there, and not one
of them mentions half of the things that you all have told me on this
thread.  

Take care and thanks again for your help.
Mike





Hi Mike,

So let's take these by the numbers ;)

1.  Yes, two sensors will show up in your mysql dbŠbarnyard is the beast
that makes it happen.  As for as snort is concerned, all it's doing is
creating a unified2 file, and that's it.  Barnyard will have:

Instance #1
config hostname:   Int_Net
config interface:  eth0

Instance #2
config hostname:   Ext_Net
config interface:  eth1

That is what will show in your mysql db.  The above are of course for my
setup (router with two interfaces) your's will most likely differ.

2.  I don't assign an IP at all to the interface with snortŠjust ifconfig
eth1 promisc up, with no ip.  Have mysql bind to 127.0.0.1 unless you need
remote sql access.

3.  You use neither ;)  The process is like so:  snort ->
unified2file->barnyard->mysql.  Snort doesn't get the data into mysql,
barnyard does.  For newer versions, this is how it works, for older version,
snort put info into the db.  I have my snort going to output alert_fast and
of course unified2 file, and barnyard handles the rest.  Make sense?

Hope that helps.

James




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: