[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: [Snort-users] IDS Deployment -- opinions please...
Ok, now I am a bit confused. When you start snort with the -c opton, does that point to the rule file or the snort.conf? I am missing something. I can't get this. I read a document from www.incident.org/snortdb/ I am kinda lost. Please help if you can -----Original Message----- From: Mike Baptiste [mailto:[email protected]] Sent: 20 February 2001 17:10 To: Langa Kentane Subject: Re: [Snort-users] IDS Deployment -- opinions please... See the file README.database in the snort distribution. YOu create the table, feed in a schema file, and them setup snort to pump data to the database using the output databse command # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=snort dbname=snort host=localhost # output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort Mike Langa Kentane wrote: > Would you care to give me information of where I can find info on creating > such a setup. I am particulaly interested in how to send data from a sensor > to a database machine. > > Thanks > > -----Original Message----- > From: Mike Baptiste [mailto:[email protected]] > Sent: 20 February 2001 13:59 > To: Langa Kentane > Subject: Re: [Snort-users] IDS Deployment -- opinions please... > > > I don't believe multiple interfaces are supported right now. Probably > the best setup is to run a sensor inside and outside the firewall on > different machines. The trick is getting the outside data INTO your > network in a secure manner (we use IPSec) > > When multiple snort instances send data to the same database, they are > tagged with a unique sensor ID which allows you to filter based on where > the alerts came from. WE currently have 3 machines running snort > sending data to a 4th database machine. Works great. > > Mike > > Langa Kentane wrote: > > >> Greetings. >> We will be deploying snort as our IDS in our company. The setup that I > > have > >> in mind is the following: >> >> One host with two interfaces. One of the interfaces does not have ap ip >> address assigned and is outside the firewall connected to a switch by > > means > >> of a read only cat 5 100BastTX cable. The other interface is internal > > with > >> an illegal IP [192.168.x.x for example] doing intrusion detection inside > > the > >> firewall. >> >> How would you rate this setup. Is this a good idea. Can someone suggest >> other ideas. How is your IDS setup. >> >> Also, when logging, will I be able to tell from snort which interface a >> packet came from. >> >> Thanks in advance. >> _________________________________________________________ >> Langa Kentane | Tel: [011] 290 3218 >> Security Administrator | Cell:>> [CNA MCSE CCSA CCNA] | www.discoveryhealth.co.za >> _________________________________________________________ >> >> _______________________________________________ >> Snort-users mailing list >> [email protected] >> Go to this URL to change user options or unsubscribe: >> http://lists.sourceforge.net/lists/listinfo/snort-users -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Baptiste [email protected] Mebane, NC http://www.baptistefamily.net/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|