Snort mailing list archives
RE: Distributed Snort..
From: "Oxenreider, Jeff" <jox () safelite com>
Date: Mon, 23 Jul 2001 08:18:02 -0400
We use snort across 3 different machines, and 10 or so interfaces online. 7 interfaces in one box alone. In the box with 7 interfaces, only one interface has an IP address, the other 6 only come active and the switches that they are connected to are configured as monitor ports and they pick up all traffic from that network segment without any problem. The other boxes each have 2 interfaces, and we monitor on the "dark" one on those as well. We're using MySQL and ACID in this environment and it's been working great. If you're using RedHat/Linux for your IDS boxes, it's very easy to bring an interface online w/o an IP address. Jeffrey A. Oxenreider Senior Network/Security Engineer Safelite Glass Corp -----Original Message----- From: Charles Hessifer [mailto:charles.hessifer () genuity com] Sent: Sunday, July 22, 2001 1:31 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Distributed Snort.. All, I am setting up a distributed Snort infrastructure that consists of 10 dual-homed network sensors with one interface using 1918 and the other not yet configured. All machines will report back to my Demarc console and they will also all use the same mySQL database which happens to be the same machine as the Demarc console. So here are a few questions that I have: 1. Is there a way to just leave the sensors interface not configured, meaning no IP address assigned to it possibly just in promisc mode? Will this pick up any and all traffic the interface sees for snort? The reason for this is I am limited on public addresses and would like to make it work without asking for more address space. I have used NFR and ISS Real Secure 6.0 in the past and they allow you to use an interface that has no address assigned to it for IDS. This way all other communications to and from the mySQL database and Demarc console could be done over 1918 address space. 2. Has anyone successfully configured multiple sensors to use the same database as well as report into Demarc? The goal here is to show that with a little planning, organization, and determination I can get just as much out of a distributed Snort infrastructure as I did with NFR and ISS, but only a hell of a lot cheaper!
----------------------------------------------------------------- Charles A. Hessifer | Voice: (781) 262-5010 Security Analyst | Fax: (781) 262-2819 GENUITY, OPSEC Team | e-mail: chessife () genuity com 3 Van De Graaff | http://www.genuity.com Burlington, MA 01802 | PGP ID: 0x7C702C5D ----------------------------------------------------------------- PGP Fingerprint: DA82 2981 E5A0 8870 9A33 52D0 716A 854D 7C70 2C5D
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Distributed Snort.. Charles Hessifer (Jul 21)
- RE: Distributed Snort.. John Berkers (Jul 22)
- <Possible follow-ups>
- RE: Distributed Snort.. Oxenreider, Jeff (Jul 23)