Snort mailing list archives
RE: Distributed Snort..
From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 22 Jul 2001 21:51:31 +1000
While I'm not using Demarc, I am using a couple of dual-homes sensors, with one interface configured as IP-less. Both have in the past been logging to the same postgresql database, but I have just switched to MySQL for performance reasons, with continued success. Just like with the other IDS products, the interface will go promiscuous and deliver all traffic to snort. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Charles Hessifer Sent: Sunday, 22 July 2001 15:31 To: snort-users () lists sourceforge net Subject: [Snort-users] Distributed Snort.. All, I am setting up a distributed Snort infrastructure that consists of 10 dual-homed network sensors with one interface using 1918 and the other not yet configured. All machines will report back to my Demarc console and they will also all use the same mySQL database which happens to be the same machine as the Demarc console. So here are a few questions that I have: 1. Is there a way to just leave the sensors interface not configured, meaning no IP address assigned to it possibly just in promisc mode? Will this pick up any and all traffic the interface sees for snort? The reason for this is I am limited on public addresses and would like to make it work without asking for more address space. I have used NFR and ISS Real Secure 6.0 in the past and they allow you to use an interface that has no address assigned to it for IDS. This way all other communications to and from the mySQL database and Demarc console could be done over 1918 address space. 2. Has anyone successfully configured multiple sensors to use the same database as well as report into Demarc? The goal here is to show that with a little planning, organization, and determination I can get just as much out of a distributed Snort infrastructure as I did with NFR and ISS, but only a hell of a lot cheaper!
----------------------------------------------------------------- Charles A. Hessifer | Voice: (781) 262-5010 Security Analyst | Fax: (781) 262-2819 GENUITY, OPSEC Team | e-mail: chessife () genuity com 3 Van De Graaff | http://www.genuity.com Burlington, MA 01802 | PGP ID: 0x7C702C5D ----------------------------------------------------------------- PGP Fingerprint: DA82 2981 E5A0 8870 9A33 52D0 716A 854D 7C70 2C5D
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Distributed Snort.. Charles Hessifer (Jul 21)
- RE: Distributed Snort.. John Berkers (Jul 22)
- <Possible follow-ups>
- RE: Distributed Snort.. Oxenreider, Jeff (Jul 23)