RE: Centralized DB Server??

[Kris Quinby <kquinby () pdx medscapeinc com>]

Are your sensors in different geographic locations?  If not you could have
two network interfaces in each NIDS, one with no IP on the network you are
watching, and one on a "management" network.  Then you could have your MySQL
data base on the management network collecting from all your sensors.

Kris

-----Original Message-----
From: Marc Thompson [mailto:Marc.Thompson () bops com]
Sent: Monday, June 11, 2001 7:21 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Centralized DB Server??


I would like to use a IDS architecture using Snort and MySQL 
that utilizes multiple NIDS across many routers and sites, but
only one database to collect alerts.

My question is, wouldn't the action of sending an alert to a
centralized database set off the same rule on a NIDS box sitting
between the alert source and the remote database?

Is the only way to prevent this double-logging of alerts to specify
that the 'in-between' NIDS should ignore traffic from the remote NIDS
to the central database server?  If so, is there a standard way of
specifying this in the Snort configuration file? (ignore traffic
globally to the MySQL TCP port?)

Thank you in advance,
Marc Thompson


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users