Re: Distributed Snort possibility?

[Kevin Ross <kevross33 () googlemail com>]

1) I would first put ones inside your network. I would advise behind any
networks which go between you and the outside (i.e internet gateways). Doing
this you will see stuff which is actually in your network. I would also
advise using the emerginthreats.net rules to look for malware, botnet
control traffic (with the IP lists) and so on.

2) Yes, just remember to bind mysql to the network address and create a user
in mysql which can log into the mysql database from the remote sensor. Also
use barnyard to actually write the alerts rather than have snort do it and
have snort write the alerts in unified logs. That way the snort process
doesn't have to spend time writing alerts to a database which would be even
worse across the network so you will improve your sensor performance and
drop less packets.

3) No assuming you mean can one sensor read the rules of another. What to do
is have oinkmaster or pulledpork and use them to enable and disable rules
based on the sid number. Then have a script run oinkmaster/pulled pork to
download the rules and tune them so if the tuning is the same then all you
have to think about is getting the oinkmaster.conf or pulledpork conf files
onto other sensors for them to use. Also make sure you disable rules you are
not using in the snort.conf files by the rule files and then tune from
there. Also you can use threshold.conf to help tune out false positives on
individual sensors or move that across (i.e if you have noisy
internal/external hosts which you know are ok you can supress the alert.

Hope that answers your question. Drop me an email if you need any help or
more questions answered and I will do my best. Kevin

On 11 December 2010 15:44, turki <turki_00 () yahoo com> wrote:

> Hi
>
> I am new to Snort and I have these totally newbies questions:
>
> 1- Can Snort monitors remote network traffic. meaning Snort is installed in
> a local network and it needs to monitor/capture packets from remote network.
> is this possible? (I am not sure where should Snort sensor be installed in
> this case in the local network or in the remote network?)
>
> 2- If I have 2 separate machines in the same network, each run its own
> Snort. can they (both) log alerts into the same MySql db? (shared db for
> multiple Snort instances?)
>
> 3- same scenario as question 2 (above), can the two Snort machines share
> the same rules between them?
>
> Thank you,
>
>
>
> ------------------------------------------------------------------------------
> Oracle to DB2 Conversion Guide: Learn learn about native support for
> PL/SQL,
> new data types, scalar functions, improved concurrency, built-in packages,
> OCI, SQL*Plus, data movement tools, best practices and more.
> http://p.sf.net/sfu/oracle-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users