Snort mailing list archives
Re: IDS architecture
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 16 Nov 2012 20:18:28 -0500
On 11/16/2012 17:41, k vijay sai prashanth wrote:
I have asked this question before and din't get any straightforward replies so he goes my question again.
i believe i do recall this question and some of the answers you got...
I have four sensor logging events to a database on the local machine. How should the architecture usually be?
architecture? of the machines? of the network layout?
Should all the sensors be logging events to a common database server?
you can if you want or you can have each logging to its own database... it depends on your network's needs and your protection design... are you running multiple snort instances against the traffic on one interface or are you running multiple snorts looking at traffic on different interfaces? each has its own needs...
How do I implement this database server.
i suspect that many use mySQL based on a lot of what i've read over the years... some use dedicated servers for their database since they have tons of traffic they are working with coming in over some very fat pipes... some might implement them on the machine(s) running their aggregation and reporting software like barnyard2 and the like...
This question may seem trivial but please humour me and be as clear as possible.
it is not trivial but it is also not really possible to give one straight answer because it depends on your network and its needs for protection... many are using snort inline whereas i'm aware of many that run snort "on the side" sniffing everything flowing on un-numbered interfaces (ie: no IP numbers) so they cannot be detected or specifically targeted... some folks have them with specific control interfaces that only the admin side can access (3 NICs in the box, 2 for the traffic passing thru and the other one for admin and control)... others run snort right on their perimeter router/firewall box with all the tools on that same box... it is up to you to decide what is the best for the network(s) you are protecting and how to go about setting all of that up... then as specific questions as they arise :) ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IDS architecture k vijay sai prashanth (Nov 16)
- Re: IDS architecture Joel Esler (Nov 16)
- Re: IDS architecture Rhoades . Jon (Nov 16)
- Re: IDS architecture waldo kitty (Nov 16)