Snort mailing list archives
Re: Problem with using 2 sensors
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 08 Oct 2011 11:40:31 -0600
From: Mike Boeckeler <boeckelr () gmail com> Date: Sat, 8 Oct 2011 13:03:04 -0400 To: Snort <snort-users () lists sourceforge net> Cc: Kevin Ross <kevross33 () googlemail com> Subject: Re: [Snort-users] Problem with using 2 sensors Hi Kev, I'm glad that I asked that question, but unfortunately it leads to more questions: 1) Just so I know that we are on the same page....will doing all of this allow me to successfully use 2 sensors...with one MySQL database and one Base install? 2) Second, I was always under the impression that when setting up a Snort sensor, in order to keep it stealthy you do not assign it an ip address. If that is the case, then how do I do what you suggest? I mean, if I set up eth1 as follows: "ifconfig eth1 0.0.0.0", then what ip address do I have MySQL bind to? 3) Third - when I had Snort/BASE running last week (when it would only report alerts on one sensor), I noticed that the amount of data shown in BASE for each alert was kind of skimpy compared to the way it was when I had it set up in the past. So that leads me to output questions: Should I use "output database: log...." or "output database: alert" if I want to maximize what is captured by Snort/MySQL. And in Barnyard2.conf should I use "output alert_fast" or "output alert_full"? I have looked for the answers to all of these questions - I get conflicting info on them. One more thing - If I can ever get this set up successfully, I am going to write a config guide and submit it to Snort.org - I have looked thru all of the guides that are currently posted there, and not one of them mentions half of the things that you all have told me on this thread. Take care and thanks again for your help. Mike Hi Mike, So let's take these by the numbers ;) 1. Yes, two sensors will show up in your mysql dbbarnyard is the beast that makes it happen. As for as snort is concerned, all it's doing is creating a unified2 file, and that's it. Barnyard will have: Instance #1 config hostname: Int_Net config interface: eth0 Instance #2 config hostname: Ext_Net config interface: eth1 That is what will show in your mysql db. The above are of course for my setup (router with two interfaces) your's will most likely differ. 2. I don't assign an IP at all to the interface with snortjust ifconfig eth1 promisc up, with no ip. Have mysql bind to 127.0.0.1 unless you need remote sql access. 3. You use neither ;) The process is like so: snort -> unified2file->barnyard->mysql. Snort doesn't get the data into mysql, barnyard does. For newer versions, this is how it works, for older version, snort put info into the db. I have my snort going to output alert_fast and of course unified2 file, and barnyard handles the rest. Make sense? Hope that helps. James
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 07)
- Re: Problem with using 2 sensors James Lay (Oct 07)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)
- Re: Problem with using 2 sensors James Lay (Oct 08)
- Re: Problem with using 2 sensors Joel Esler (Oct 08)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)