Snort mailing list archives
Re: Snort Sniffing vs. Snort Database
From: Erek Adams <erek () snort org>
Date: Fri, 7 Mar 2003 16:07:21 -0500 (EST)
On Fri, 7 Mar 2003, Jan van den Berg wrote:
I've read a few docs on the best installation of Snort for a network and it struck me that the best way of installing is by making a difference in functions. Most docs have machines set up for the actual sniffing and another machine for the logging to a mysql database. My question is; why make that difference? Is this better for the performance of the sniffing functions or is this a safer way of keeping your data?
Yes. ;-) In high speed setups, you really want the sensor to run as quick as it can. You don't want _anything_ to slow it down. If you sent your alerts out thru the same interface you are sniffing on, you'd be sniffing the same data twice. You'd also start an endless loop, since you'll sniff an alert possibly triggering another alert, and so on.... Quite often, you want to use an interface to sniff with that has no ip for security. With no IP you can't send out alerts.
Another question that comes to mind when setting up different machines is the actual logfiles. Say there a two sniffing machines; one before the firewall and one after. The one before is gonna get a lot more alerts and bigger log files. So do you set up different databases for both sniffing machines or put everything in one database. How can u keep track of the different alerts. Right now I am thinking if you have limited hardware the best place for the IDS would be after the firewall and have the database on the same machine.
Well, if you can put your DB anywhere else, I would suggest that. As I said above, you don't want to take away from any sniffing power that you might need. If you want to cut down on your alerts, then behind the firewall would be the best place. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sniffing vs. Snort Database Jan van den Berg (Mar 07)
- Re: Snort Sniffing vs. Snort Database Erek Adams (Mar 07)
- RE: Snort Sniffing vs. Snort Database Jan van den Berg (Mar 08)
- RE: Snort Sniffing vs. Snort Database Erek Adams (Mar 08)
- RE: Snort Sniffing vs. Snort Database Jan van den Berg (Mar 08)
- Re: Snort Sniffing vs. Snort Database Erek Adams (Mar 07)