Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Sniffing vs. Snort Database

From: Erek Adams <erek () snort org>
Date: Fri, 7 Mar 2003 16:07:21 -0500 (EST)
On Fri, 7 Mar 2003, Jan van den Berg wrote:


I've read a few docs on the best installation of Snort for a network and
it struck me that the best way of installing is by making a difference
in functions.

Most docs have machines set up for the actual sniffing and another
machine for the logging to a mysql database.

My question is; why make that difference? Is this better for the
performance of the sniffing functions or is this a safer way of keeping
your data?


Yes.  ;-)

In high speed setups, you really want the sensor to run as quick as it
can.  You don't want _anything_ to slow it down.  If you sent your alerts
out thru the same interface you are sniffing on, you'd be sniffing the
same data twice.  You'd also start an endless loop, since you'll sniff an
alert possibly triggering another alert, and so on....

Quite often, you want to use an interface to sniff with that has no ip for
security.  With no IP you can't send out alerts.


Another question that comes to mind when setting up different machines
is the actual logfiles. Say there a two sniffing machines; one before
the firewall and one after. The one before is gonna get a lot more
alerts and bigger log files. So do you set up different databases for
both sniffing machines or put everything in one database. How can u keep
track of the different alerts.

Right now I am thinking if you have limited hardware the best place for
the IDS would be after the firewall and have the database on the same
machine.


Well, if you can put your DB anywhere else, I would suggest that.  As I
said above, you don't want to take away from any sniffing power that you
might need.

If you want to cut down on your alerts, then behind the firewall would be
the best place.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: