Snort mailing list archives

RE: Distributed Snort..

From: "Oxenreider, Jeff" <jox () safelite com>
Date: Mon, 23 Jul 2001 08:18:02 -0400

We use snort across 3 different machines, and 10 or so interfaces online.  7
interfaces in one box alone.  In the box with 7 interfaces, only one
interface has an IP address, the other 6 only come active and the switches
that they are connected to are configured as monitor ports and they pick up
all traffic from that network segment without any problem.  The other boxes
each have 2 interfaces, and we monitor on the "dark" one on those as well.  

We're using MySQL and ACID in this environment and it's been working great.
If you're using RedHat/Linux for your IDS boxes, it's very easy to bring an
interface online w/o an IP address. 


Jeffrey A. Oxenreider
Senior Network/Security Engineer
Safelite Glass Corp



-----Original Message-----
From: Charles Hessifer [mailto:charles.hessifer () genuity com]
Sent: Sunday, July 22, 2001 1:31 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Distributed Snort..


All,

I am setting up a distributed Snort infrastructure that consists of 10
dual-homed network sensors with one interface using 1918 and the other not
yet configured. All machines will report back to my Demarc console and they
will also all use the same mySQL database which happens to be the same
machine as the Demarc console.

So here are a few questions that I have:

1. Is there a way to just leave the sensors interface not configured,
meaning no IP address assigned to it possibly just in promisc mode? Will
this pick up any and all traffic the interface sees for snort? The reason
for this is I am limited on public addresses and would like to make it work
without asking for more address space. I have used NFR and ISS Real Secure
6.0 in the past and they allow you to use an interface that has no address
assigned to it for IDS. This way all other communications to and from the
mySQL database and Demarc console could be done over 1918 address space.

2. Has anyone successfully configured multiple sensors to use the same
database as well as report into Demarc?

The goal here is to show that with a little planning, organization, and
determination I can get just as much out of a distributed Snort
infrastructure as I did with NFR and ISS, but only a hell of a lot cheaper!

-----------------------------------------------------------------
Charles A. Hessifer           |  Voice:  (781) 262-5010
Security Analyst              |  Fax:      (781) 262-2819
GENUITY, OPSEC Team           |  e-mail: chessife () genuity com
3 Van De Graaff               |  http://www.genuity.com
Burlington, MA  01802       |  PGP ID: 0x7C702C5D
-----------------------------------------------------------------
PGP Fingerprint: DA82 2981 E5A0 8870 9A33 52D0 716A 854D 7C70 2C5D



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Distributed Snort.. Charles Hessifer (Jul 21)
- RE: Distributed Snort.. John Berkers (Jul 22)
- <Possible follow-ups>
- RE: Distributed Snort.. Oxenreider, Jeff (Jul 23)