Snort mailing list archives
Distributed Snort..
From: "Charles Hessifer" <charles.hessifer () genuity com>
Date: Sun, 22 Jul 2001 01:30:32 -0400
All, I am setting up a distributed Snort infrastructure that consists of 10 dual-homed network sensors with one interface using 1918 and the other not yet configured. All machines will report back to my Demarc console and they will also all use the same mySQL database which happens to be the same machine as the Demarc console. So here are a few questions that I have: 1. Is there a way to just leave the sensors interface not configured, meaning no IP address assigned to it possibly just in promisc mode? Will this pick up any and all traffic the interface sees for snort? The reason for this is I am limited on public addresses and would like to make it work without asking for more address space. I have used NFR and ISS Real Secure 6.0 in the past and they allow you to use an interface that has no address assigned to it for IDS. This way all other communications to and from the mySQL database and Demarc console could be done over 1918 address space. 2. Has anyone successfully configured multiple sensors to use the same database as well as report into Demarc? The goal here is to show that with a little planning, organization, and determination I can get just as much out of a distributed Snort infrastructure as I did with NFR and ISS, but only a hell of a lot cheaper!
----------------------------------------------------------------- Charles A. Hessifer | Voice: (781) 262-5010 Security Analyst | Fax: (781) 262-2819 GENUITY, OPSEC Team | e-mail: chessife () genuity com 3 Van De Graaff | http://www.genuity.com Burlington, MA 01802 | PGP ID: 0x7C702C5D ----------------------------------------------------------------- PGP Fingerprint: DA82 2981 E5A0 8870 9A33 52D0 716A 854D 7C70 2C5D
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Distributed Snort.. Charles Hessifer (Jul 21)
- RE: Distributed Snort.. John Berkers (Jul 22)
- <Possible follow-ups>
- RE: Distributed Snort.. Oxenreider, Jeff (Jul 23)