Snort mailing list archives
Re: 1.8.7 vs 1.9.0
From: Bennett Todd <bet () rahul net>
Date: Fri, 10 Jan 2003 14:00:45 -0500
2003-01-10T11:36:49 Saul Bosquez:
Ok guys I already installed the 1.8.7 following directions from http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf so please give me some directions to remove it completely from the machine so I can install the 1.9.0 version without conflicts.
That doc seems to recommend ./configure --with-mysql make make install I've not done the --with-mysql but, but AFAIK the "make install" part will simply install the snort executable in /usr/local/bin/ and man page in /usr/local/man/man8/; and so the 1.9.0 make install will simply overwrite them. I.e., you don't have to do anything.
What updates do I need from http://www.redhat.com/support/errata/rh73-errata.html to get the snort running smoothly?
None. If you want to run various Red-Hat-provided services and avoid security problems, you should update those services, but Snort runs fine on stock RH73. Installing all the updates RedHat publishes that apply to packages that you have installed is generally good admin hygiene, but isn't specifically critical to Snort.
About the topology.. I have to machines available for this project: 1- a proliant dl360 server with 2 ethernet cards 2- a celeron 500Mhz with 64Mb RAM and a 10gig hdd and 1 ethernet card What configuration do you recommend guys?
If traffic isn't an issue, then I'd run snort on the dual-interface proliant, and run MySQL and ACID on the one-interface box; I'd run ipchains or iptables configured to tightly restrict access to that box. The snort box would have one interface unnumbered with snort listening on it (I'd use eth1 for that) and the other would be the numbered management interface, it'd send its DB updates to the DB box through that interface. I'd ssh into the DB box to run ACID. I suspect (although I don't know for sure) that the MySQL server would actually have to work harder than the snort box, unless you've got your config tuned so you trip very few alerts. If that's so, then if your traffic levels are high enough, you might have to reverse the roles of the two boxes, even though that'd leave you in the unfortunate situation of being unable to use an unnumbered interface for snorting. -Bennett
Attachment:
_bin
Description:
Current thread:
- 1.8.7 vs 1.9.0 Saul Bosquez (Jan 10)
- Re: 1.8.7 vs 1.9.0 Bennett Todd (Jan 10)