Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1.8.7 vs 1.9.0

From: Bennett Todd <bet () rahul net>
Date: Fri, 10 Jan 2003 14:00:45 -0500
2003-01-10T11:36:49 Saul Bosquez:

Ok guys I already installed the 1.8.7 following directions from
http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf so please give me
some directions to remove it completely from the machine so I can
install the 1.9.0 version without conflicts.


That doc seems to recommend

        ./configure --with-mysql
        make
        make install

I've not done the --with-mysql but, but AFAIK the "make install"
part will simply install the snort executable in /usr/local/bin/ and
man page in /usr/local/man/man8/; and so the 1.9.0 make install will
simply overwrite them. I.e., you don't have to do anything.


What updates do I need from
http://www.redhat.com/support/errata/rh73-errata.html to get the
snort running smoothly?


None. If you want to run various Red-Hat-provided services and avoid
security problems, you should update those services, but Snort runs
fine on stock RH73. Installing all the updates RedHat publishes that
apply to packages that you have installed is generally good admin
hygiene, but isn't specifically critical to Snort.


About the topology.. I have to machines available for this project: 
1- a proliant dl360 server with 2 ethernet cards 
2- a celeron 500Mhz with 64Mb RAM and a 10gig hdd and 1 ethernet card
What configuration do you recommend guys?


If traffic isn't an issue, then I'd run snort on the dual-interface
proliant, and run MySQL and ACID on the one-interface box; I'd run
ipchains or iptables configured to tightly restrict access to that
box. The snort box would have one interface unnumbered with snort
listening on it (I'd use eth1 for that) and the other would be the
numbered management interface, it'd send its DB updates to the DB
box through that interface.

I'd ssh into the DB box to run ACID.

I suspect (although I don't know for sure) that the MySQL server
would actually have to work harder than the snort box, unless you've
got your config tuned so you trip very few alerts. If that's so,
then if your traffic levels are high enough, you might have to
reverse the roles of the two boxes, even though that'd leave you in
the unfortunate situation of being unable to use an unnumbered
interface for snorting.

-Bennett

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: