Snort mailing list archives
RE: SnortDB question
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Fri, 3 Aug 2001 15:33:14 -0400
This configuration works well with snort, since each machine identifies itself and tags all alerts generated by it in the database. I use ACID to do the followup analysis. If you want to go the distributed route, the ideal solution is to install a second NIC in the probes and give them a separate LAN to converse with the database engine. This provides the the "probes" with a private connection un-affected by distrurbances in the network you're monitoring, and allows them to operate passively without announcing their presence on the network through a database connection. Admittedly, this isn't always do-able, and in those cases I've opted to make the probes autonomous... each one runs snort logging to a database, with some additional apps watching the database for significant events, and a modem for paging.
-----Original Message----- From: Julia A. Case [SMTP:julie () MageNet com] Sent: Friday, August 03, 2001 10:13 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SnortDB question I've got a client that would like me to set up IDS for their networks, I'll have snort running on about 10 machines, and I want to log to a central database... Will this cause too much extra network traffic? Can I log to one database or do I need a seperate database for each machine? I want to make this as simple as I can for them to monitor after I show them how to use it. Julia -- [ Julia Anne Case ] [ Ships are safe inside the harbor, ] [Programmer at large] [ but is that what ships are really for. ] [ Admining Linux ] [ To thine own self be true. ] [ Windows/WindowsNT ] [ Fair is where you take your cows to be judged. ]
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortDB question Julia A. Case (Aug 03)
- Re: SnortDB question Julia A. Case (Aug 03)
- Re: SnortDB question Erek Adams (Aug 03)
- <Possible follow-ups>
- RE: SnortDB question Fraser Hugh (Aug 03)
- Re: SnortDB question Travis Dawson (Aug 03)
- Re: SnortDB question Julia A. Case (Aug 03)