Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SnortDB question

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Fri, 3 Aug 2001 15:33:14 -0400
This configuration works well with snort, since each machine identifies
itself and tags all alerts generated by it in the database. I use ACID to do
the followup analysis.

If you want to go the distributed route, the ideal solution is to install a
second NIC in the probes and give them a separate LAN to converse with the
database engine. This provides the the "probes" with a private connection
un-affected by distrurbances in the network you're monitoring, and allows
them to operate passively without announcing their presence on the network
through a database connection. Admittedly, this isn't always do-able, and in
those cases I've opted to make the probes autonomous... each one runs snort
logging to a database, with some additional apps watching the database for
significant events, and a modem for paging.



-----Original Message-----
From: Julia A. Case [SMTP:julie () MageNet com]
Sent: Friday, August 03, 2001 10:13 AM
To:   snort-users () lists sourceforge net
Subject:      [Snort-users] SnortDB question

I've got a client that would like me to set up IDS for their networks, 
I'll have snort running on about 10 machines, and I want to log to a 
central database...  Will this cause too much extra network traffic?  Can 
I log to one database or do I need a seperate database for each machine?  
I want to make this as simple as I can for them to monitor after I show 
them how to use it.

Julia

-- 
[  Julia Anne Case  ] [        Ships are safe inside the harbor,       ]
[Programmer at large] [      but is that what ships are really for.    ]
[   Admining Linux  ] [           To thine own self be true.           ]
[ Windows/WindowsNT ] [ Fair is where you take your cows to be judged. ]


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: