Snort Sniffing vs. Snort Database

["Jan van den Berg" <jan () e-commercepark com>]

Hi there,

 

I've read a few docs on the best installation of Snort for a network and
it struck me that the best way of installing is by making a difference
in functions.

Most docs have machines set up for the actual sniffing and another
machine for the logging to a mysql database. 

My question is; why make that difference? Is this better for the
performance of the sniffing functions or is this a safer way of keeping
your data?

Another question that comes to mind when setting up different machines
is the actual logfiles. Say there a two sniffing machines; one before
the firewall and one after. The one before is gonna get a lot more
alerts and bigger log files. So do you set up different databases for
both sniffing machines or put everything in one database. How can u keep
track of the different alerts.

Right now I am thinking if you have limited hardware the best place for
the IDS would be after the firewall and have the database on the same
machine. 

Opinions and thoughts please?

 

Jan van den Berg