Snort mailing list archives

Re: Multiple sensors

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 6 Mar 2002 11:11:01 -0800 (PST)

On Wed, 6 Mar 2002, Mike Arrison wrote:

      I currently have a single snort box sniffing our network uplink and
logging alerts to a mysql database on the same machine.  I'd like to setup
other sensors on different VLANs in our network but keep alerting somehow
centralized.  Do you suggest that I:

a) Use a remote mysql database connection to send the alerts back to the
original mysql database
b) Is there some built in snort connectivity to gather alerts?
c) Log locally and cron up a mysqldump every hour or so (ewww, this is an
icky idea).


Well...  How about:

  d)  Part of (a) and something else.  :)


      Things to consider:

a) I'd prefer to keep only one set of rules, rather than different
snort.conf etc... on each sniffer.
b) If necessary, I can directly connect the multiple sniffers with a
crossover cable


If your sensor are placed so that you can phyisically connect them, I'd
suggest backending them all onto a switch along with your MySQL box.  Have all
the data sent over the backend connection, with no outside connectivity.  Use
barnyard on the sensors and have it spool out to the DB.

On config files:  If all the sensors are connected over the same backend net,
use your MySQL box as a main station and rsync the rules and .conf files.
Depending on your traffic, network, and boredom you might want to consider
having different .confs for different VLANs.  On the console name them like
vlan1.conf, vlan2.conf, etc.  Rsync or scp to the snort.conf on the remote box
via a script and all should be well.

This is just one way...  There will be lots of others.  Most important thing:
DO WHAT WORKS BEST FOR YOU.  :)  This might work fine for me, but it may not
for you.

      All suggestions welcome.  Thanks.


I suggest you send me all your money.  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple sensors Mike Arrison (Mar 06)
- Rule set Query skill2die4 (Mar 06)
- Re: Multiple sensors Erek Adams (Mar 06)
- <Possible follow-ups>
- multiple sensors Luo, Feng (Exchange) (Mar 07)
  - Re: multiple sensors Erek Adams (Mar 07)
  - multiple sensors David Bianco (Mar 07)