Snort mailing list archives

Re: Multi Snort Clients

From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Thu, 27 Jan 2011 11:52:07 -0500

On Fri, Jan 28, 2011 at 05:40:45AM +1300, Ahmed Qaisi wrote:

Hi all,

I'm doing my masters in multiple entities systems. One category of these
entities is multiple IDSs (Snorts).

Now, I have three IDS machines (clients) in three different sub nets. I want
to be able to send all possible snort logs from these clients through the
network to a particular (fourth ) machine (server).

Can you please point me to the right direction?


        There's multiple ways to do this,  and I'm sure there are plenty
of people on the list that'll have ideas.  I don't know of any direct
documentation,  but I might be able to point you in the right direction.

        The way I've done it is to have the three "sensors" report to
the server via Barnyard2/SQL.  You then just have to figure out how 
you want the database(s) to be setup.  That is,  one database for all
sensors - Which will show in in the DB as seperate sid's (Sensor ID's), 
or 3 databases with one sensor ID per-sensor.   It largely depends on 
how you want the database to be stored/accessed.

        What I'd advise is you setup a sensor with Snort/Barnyard2/SQL
(MySQL/PostgreSQL/whatever) and go from there.  That is,  do _one_ 
sensor so you can understand _how_ Snort logs to the backend.  Once 
you understand that,  you can go from there.


-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin
Description:

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multi Snort Clients Ahmed Qaisi (Jan 27)
- Re: Multi Snort Clients Ahmed Qaisi (Jan 27)
- Re: Multi Snort Clients Ray Caparros (Jan 27)
- Re: Multi Snort Clients Champ Clark III [Softwink] (Jan 27)