Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS architecture

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 16 Nov 2012 20:18:28 -0500
On 11/16/2012 17:41, k vijay sai prashanth wrote:

I have asked this question before and din't get any straightforward replies so
he goes my question again.


i believe i do recall this question and some of the answers you got...


I have four sensor logging events to a database on the local machine. How should
the architecture usually be?


architecture? of the machines? of the network layout?


Should all the sensors be logging events to a
common database server?


you can if you want or you can have each logging to its own database... it 
depends on your network's needs and your protection design... are you running 
multiple snort instances against the traffic on one interface or are you running 
multiple snorts looking at traffic on different interfaces? each has its own 
needs...


How do I implement this database server.


i suspect that many use mySQL based on a lot of what i've read over the years... 
some use dedicated servers for their database since they have tons of traffic 
they are working with coming in over some very fat pipes... some might implement 
them on the machine(s) running their aggregation and reporting software like 
barnyard2 and the like...


This question may seem trivial but please humour me and be as clear as possible.


it is not trivial but it is also not really possible to give one straight answer 
because it depends on your network and its needs for protection... many are 
using snort inline whereas i'm aware of many that run snort "on the side" 
sniffing everything flowing on un-numbered interfaces (ie: no IP numbers) so 
they cannot be detected or specifically targeted... some folks have them with 
specific control interfaces that only the admin side can access (3 NICs in the 
box, 2 for the traffic passing thru and the other one for admin and control)... 
others run snort right on their perimeter router/firewall box with all the tools 
on that same box... it is up to you to decide what is the best for the 
network(s) you are protecting and how to go about setting all of that up... then 
as specific questions as they arise :)

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: