Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best way to deploy snort

From: Kum Weng Luey <kumwengluey () gmail com>
Date: Wed, 7 Apr 2010 09:42:48 +0800
Yet another question. I tried installing barnyard2 somehow it's not pushing
data to the mysql server. However, when i shutdown barnyard2, packages being
read from the spool or .alert files. I have copied my configurations from
barnyard to barnyard2. Why is this so?

Thank you paul for answering my initial query.

regards,
KW



On Wed, Apr 7, 2010 at 2:48 AM, Paul Schmehl <pschmehl_lists () tx rr com>wrote:


--On Tuesday, April 06, 2010 09:51:40 +0800 Kum Weng Luey <
kumwengluey () gmail com> wrote:

Hi all,


I was wondering what would be the optimal setting to deploy snort with
base
and barnyard.



1) Don't use barnyard.  Use barnyard2.


I am thinking of separating the mysql database from snort

itself and place it on a remote server.



That's up to you.  Either way will work.  Depending upon how much
horsepower your box has (cpu and memory) snort and mysql can coexist on the
same box.


I am wondering do I need to have an

additional interface for snort ? One interface for sniffing and the other
to
push alerts to the mysql server.



Yes.  Once interface for passive sniffing, and one interface for management
of the box.  It doesn't matter if mysql is local or remote.  You will still
need two interfaces.




One last question: Would snort be better off being placed in the DMZ to
sniff
incoming traffic or within the internal LAN between the router and the
firewall.



That depends entirely upon your network topology and what you want to
monitor. Snort will "see" whatever traffic passes its passive interface.
 What traffic that is depends upon what you are trying to accomplish.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: