Snort mailing list archives
Re: SnortDB question
From: "Travis Dawson" <tdawson () bluemartini com>
Date: Fri, 03 Aug 2001 16:53:38 -0700
I've got a client that would like me to set up IDS for their networks,=20 I'll have snort running on about 10 machines, and I want to log to a=20 central database... Will this cause too much extra network traffic? Can= =20 I log to one database or do I need a seperate database for each machine? = =20 I want to make this as simple as I can for them to monitor after I show=20 them how to use it. Julia
I did a smaller version of this and found that the DB traffic wasn't alot but enough to be annoying during high peak periods. I ended up with all the sensors on a separate (unrouteable) network and the DB machine with dual NICs (one on the sensor network and one accessible to the users) and used ACID for viewing the alerts. The traffic was now isolated and not a problem and the Central DB made it easy to hunt down attacks. So I would suggest creating a separate network if possible and using ACID for viewing on a dedicated (and beefy) central DB.
-tdawson -Network Geek (Bit Pusher)-BlueMartini Software
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortDB question Julia A. Case (Aug 03)
- Re: SnortDB question Julia A. Case (Aug 03)
- Re: SnortDB question Erek Adams (Aug 03)
- <Possible follow-ups>
- RE: SnortDB question Fraser Hugh (Aug 03)
- Re: SnortDB question Travis Dawson (Aug 03)
- Re: SnortDB question Julia A. Case (Aug 03)