NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RE: [Snort-users] IDS Deployment -- opinions please...



After the -c you specify the rule file to be used.  

-----Original Message-----
From: Langa Kentane [mailto:[email protected]]
Sent: Thursday, February 22, 2001 4:39 AM
To: 'Mike Baptiste'
Cc: Firewall-1 Mailing List (E-mail)
Subject: [FW1] RE: [Snort-users] IDS Deployment -- opinions please...



Ok, now I am a bit confused.
When you start snort with the -c opton, does that point to the rule file or
the snort.conf?

I am missing something.  I can't get this.  I read a document from
www.incident.org/snortdb/

I am kinda lost.
Please help if you can

-----Original Message-----
From: Mike Baptiste [mailto:[email protected]]
Sent: 20 February 2001 17:10
To: Langa Kentane
Subject: Re: [Snort-users] IDS Deployment -- opinions please...


See the file README.database in the snort distribution.  YOu create the 
table, feed in a schema file, and them setup snort to pump data to the 
database using the output databse command

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=snort dbname=snort host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort

Mike

Langa Kentane wrote:

> Would you care to give me information of where I can find info on creating
> such a setup.  I am particulaly interested in how to send data from a
sensor
> to a database machine.
> 
> Thanks
> 
> -----Original Message-----
> From: Mike Baptiste [mailto:[email protected]]
> Sent: 20 February 2001 13:59
> To: Langa Kentane
> Subject: Re: [Snort-users] IDS Deployment -- opinions please...
> 
> 
> I don't believe multiple interfaces are supported right now.  Probably 
> the best setup is to run a sensor inside and outside the firewall on 
> different machines.  The trick is getting the outside data INTO your 
> network in a secure manner (we use IPSec)
> 
> When multiple snort instances send data to the same database, they are 
> tagged with a unique sensor ID which allows you to filter based on where 
> the alerts came from.  WE currently have 3 machines running snort 
> sending data to a 4th database machine.  Works great.
> 
> Mike
> 
> Langa Kentane wrote:
> 
> 
>> Greetings.
>> We will be deploying snort as our IDS in our company.  The setup that I
> 
> have
> 
>> in mind is the following:
>> 
>> One host with two interfaces.  One of the interfaces does not have ap ip
>> address assigned and is outside the firewall connected to a switch by
> 
> means
> 
>> of a read only cat 5 100BastTX cable.  The other interface is internal
> 
> with
> 
>> an illegal IP [192.168.x.x for example] doing intrusion detection inside
> 
> the
> 
>> firewall.
>> 
>> How would you rate this setup.  Is this a good idea.  Can someone suggest
>> other ideas.  How is your IDS setup.
>> 
>> Also, when logging, will I be able to tell from snort which interface a
>> packet came from.
>> 
>> Thanks in advance.
>> _________________________________________________________
>> Langa Kentane		|	Tel:	[011] 290 3218
>> Security Administrator	|	Cell:>> [CNA MCSE CCSA CCNA]	|	www.discoveryhealth.co.za
>> _________________________________________________________
>> 
>> _______________________________________________
>> Snort-users mailing list
>> [email protected]
>> Go to this URL to change user options or unsubscribe:
>> http://lists.sourceforge.net/lists/listinfo/snort-users


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Baptiste           [email protected]
Mebane, NC       http://www.baptistefamily.net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.