Snort mailing list archives

RE: Distributed Snort..

From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 22 Jul 2001 21:51:31 +1000

While I'm not using Demarc, I am using a couple of dual-homes sensors, with
one interface configured as IP-less.  Both have in the past been logging to
the same postgresql database, but I have just switched to MySQL for
performance reasons, with continued success.  Just like with the other IDS
products, the interface will go promiscuous and deliver all traffic to
snort.


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Charles
Hessifer
Sent: Sunday, 22 July 2001 15:31
To: snort-users () lists sourceforge net
Subject: [Snort-users] Distributed Snort..


All,

I am setting up a distributed Snort infrastructure that consists of 10
dual-homed network sensors with one interface using 1918 and the other not
yet configured. All machines will report back to my Demarc console and they
will also all use the same mySQL database which happens to be the same
machine as the Demarc console.

So here are a few questions that I have:

1. Is there a way to just leave the sensors interface not configured,
meaning no IP address assigned to it possibly just in promisc mode? Will
this pick up any and all traffic the interface sees for snort? The reason
for this is I am limited on public addresses and would like to make it work
without asking for more address space. I have used NFR and ISS Real Secure
6.0 in the past and they allow you to use an interface that has no address
assigned to it for IDS. This way all other communications to and from the
mySQL database and Demarc console could be done over 1918 address space.

2. Has anyone successfully configured multiple sensors to use the same
database as well as report into Demarc?

The goal here is to show that with a little planning, organization, and
determination I can get just as much out of a distributed Snort
infrastructure as I did with NFR and ISS, but only a hell of a lot cheaper!

-----------------------------------------------------------------
Charles A. Hessifer           |  Voice:  (781) 262-5010
Security Analyst              |  Fax:      (781) 262-2819
GENUITY, OPSEC Team           |  e-mail: chessife () genuity com
3 Van De Graaff               |  http://www.genuity.com
Burlington, MA  01802       |  PGP ID: 0x7C702C5D
-----------------------------------------------------------------
PGP Fingerprint: DA82 2981 E5A0 8870 9A33 52D0 716A 854D 7C70 2C5D



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Distributed Snort.. Charles Hessifer (Jul 21)
- RE: Distributed Snort.. John Berkers (Jul 22)
- <Possible follow-ups>
- RE: Distributed Snort.. Oxenreider, Jeff (Jul 23)