Snort mailing list archives
RE: About to setup snort
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Thu, 20 May 2004 23:05:19 -0400
Hi Shaun, You might run into some issues with those HUBs. Depending on the amount of traffic you have on your network you may run into some heavy collision situations. Before you go all crazy and install the whole solution I would put in one of the HUBs and see how things run for a day or so. If users start calling up complaining about performance or connectivity you may have to invest in some taps or switchs that have span ports. Another option for you may be the Do-It-Yourself Tap instructions on the Snort Website. If you have trouble with the Hubs try those. I wouldn't recommend them for high traffic areas but they may be good enough for you and get you somewhere that is better than a HUB but cheaper then the new switches. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: Shaun T. Erickson [mailto:ste () smxy org] Sent: May 20, 2004 4:58 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] About to setup snort I'm about to embark on seting up snort on our networks. The plan is to have a number of sensors (3) that outputs alerts, and related logged packets, in unified format. Each sensor would also run barnyard, to pick up the logged alerts and packets and send them to a central server, for analysis. The central server would have a mysql database with an acid front-end. I've heard that acid doesn't send alerts (I could be wrong), so the plan would be to have an additional (as yet undetermined) program access the database and send out email/pager alerts as needed. It's also hoped that the mysql/acid setup could also receive, store and process syslog information coming from two sonicwall firewalls and an iptables firewall, and alert us as needed, based on that information, as well. Our networks are small, and with a small number of servers and clients. Until such a time as we can afford switches that support a monitoring port, we are replacing our 100Mb switches with 100Mb hubs, so that we can get access to all the traffic. Each sensor will be plugged into the network it's to monitor, twice - once for normal access to the sensor, via ssh, for the sensor to send it's data to the central server, etc., and once with a nic in promiscuous mode for capture purposes. Does this all sound reasonable? Another question: One sensor will be running on FreeBSD. I see there is a port for snort, but I cannot find one for barnyard. Is there one? The other sensors will be running on (for the moment) Red Hat 8 and Red Hat Advanced Server 2.1 (I'm forced to run my sensors on existing servers, for the time being. Later, I'll be allowed to by dedicated systems.) Are there RPMS for the latest versions of snort and barnyard for those two platforms? My central server is dedicated, btw. I'm to embark on this tomorrow. Any insights/advice and so on is most welcome. TIA. -ste ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- About to setup snort Shaun T. Erickson (May 20)
- Re: About to setup snort James Edwards (May 20)
- <Possible follow-ups>
- RE: About to setup snort Truax, Shawn (MBS) (May 20)
- Re: About to setup snort Shaun T. Erickson (May 21)
- Re: About to setup snort Richard Bejtlich (May 20)
- Re: Re: About to setup snort Shaun T. Erickson (May 21)
- Re: Re: About to setup snort Bamm Visscher (May 22)
- Re: Re: About to setup snort Shaun T. Erickson (May 21)