[ale] RE: Snort

sangell at nan.net sangell at nan.net
Tue Aug 19 13:26:46 EDT 2003 


It is a great tool. I set up Snort sensors on multiple boxes. Pre-Firewall,
Post Firewall, DMZ, and set up and extranet. I pipe the output from the 3
Snort boxes to the Extranet where a MYSQL database stores all the data. I
set up an Apache Server and used A.C.I.D. to access the data in the SQL
database. It all works very seamless and was fairly simple to setup. I
found all the documentation I needed to set this up right off of Snort's
website. I am sure there are other methods for setting this up but this was
perfect for what I wanted which was a secondary IDS over my ISS Products. I
am also going to set up a similar scenario at home as soon as I can isolate
a few 300Mhz systems being retired.

Good luck.
\_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
\_    Steve Angell,  MCSE, CCNA           _/
\_    Senior MIS Manager, Operations _/
\_    TSYS Debt Management             _/
\_    Norcross, GA                                   _/
\_    Phone 770-409-5570                    _/
\_    Fax      770-416-1752                   _/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


|---------+----------------------------->
|         |           Christopher Fowler|
|         |           <cfowler at outpostse|
|         |           ntinel.com>       |
|         |           Sent by:          |
|         |           ale-admin at ale.org |
|         |                             |
|         |                             |
|         |           08/19/2003 01:20  |
|         |           PM                |
|         |           Please respond to |
|         |           ale               |
|         |                             |
|---------+----------------------------->
  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                                              |
  |       To:       ale at ale.org                                                                                  |
  |       cc:                                                                                                    |
  |       Subject:  [ale] RE: Snort                                                                              |
  >--------------------------------------------------------------------------------------------------------------|






This snort program is really cool.  I've got it logging to a
directory called /tmp/sno.  It seems that you can have it go
into a database.  Will it dump the package data into th database or
just the header info.  I want to make sure the database does not
grwo uncontrollably.  My database is behind the firewall so I can just
dump there.  It may be feasible to create a wiretap.


-- Rx [ ] --- [ ] Rx --
-- Tx [ ] --- [ ] Tx --
           |
           | Rx
          [ ]
          [ ] Snort.


Would this be correct cable configuration.  I assume that I'll
need to send Rx+ and Rx- to the IDS but do not need to worry
about Tx+ and Tx-

Chris

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list