|
Home > Archive > Snort > September 2004 > [Snort-users] General snort question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] General snort question
|
|
| Wendell Smith 2004-09-10, 5:46 pm |
| Hey all!
So I have just installed Snort/Acid on a test server of mine and for the
most part, I'm really enjoying the functionality these two apps provide.
I would like to deploy this IDS on my WAN exposed servers.
My question to the list is:
Can I do this in a way such that I don't have to install Snort, Acid,
Apache, PHP, MySQL, etc on each of these WAN exposed machines.
I saw that logsnorter provides a way to do this but that it is no longer
supported. I have also read a little something about ethertaps but would
rather not recompile the kernels of 5-8 machines.
Thanks and regards,
Wendell Smith
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Matt Kettler 2004-09-10, 5:46 pm |
| At 03:31 PM 9/10/2004, Wendell Smith wrote:
>So I have just installed Snort/Acid on a test server of mine and for the
>most part, I'm really enjoying the functionality these two apps provide.
>I would like to deploy this IDS on my WAN exposed servers.
>
>My question to the list is:
>
>Can I do this in a way such that I don't have to install Snort, Acid,
>Apache, PHP, MySQL, etc on each of these WAN exposed machines.
Do you really need or even want separate collections per server?
Are your wan exposed servers all in their own subnet (ie: all in one DMZ)?
In general I'd just use a managed switch for the DMZ, and configure a span
port to monitor the link up to your firewall or router. Run the span to a
snort box and sniff the whole subnet's internet traffic all at once.
If you've got a couple DMZs, you can add extra interfaces to your snort box
and just run multiple instances of snort on the same machine, or use
bonding to bond the interfaces and have a single snort use the bonded
interface.
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Lyndon Tiu 2004-09-10, 5:46 pm |
| On 10 Sep 2004 15:31:24 -0400 wendels@castlebranch.com wrote:
> Hey all!
>
> So I have just installed Snort/Acid on a test server of mine and for the
> most part, I'm really enjoying the functionality these two apps provide.
> I would like to deploy this IDS on my WAN exposed servers.
>
> My question to the list is:
>
> Can I do this in a way such that I don't have to install Snort, Acid,
> Apache, PHP, MySQL, etc on each of these WAN exposed machines.
>
Are you using Linux?
This is what we did.
You can simply clone machines/hard drives.
Install all of the required software on one machine and copy to the rest, changing only the hostname and ip addresses.
Linux can handle changing hardware pretty well. So if you installed on one machine and clone to a different machine with different hardware, it will detect the new hardware and ask you whether to configure the "new" and "removed" hardware.
Your hard drives will have to be exactly the same though. All the other hardware can be different.
--
Lyndon Tiu
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Wendell Smith 2004-09-10, 5:46 pm |
| Let me preface this by apologizing for this potentially redundant
question.
I realize that I should most likely be using snort sensors to accomplish
the task I spoke of earlier in this thread.
Where can I find documentation on how to accomplish this. I only found
one reference to the word "sensor" in the entire Snort manual. I grep
for "sensor" in the install/doc dir and I find only two instances of the
word. Neither of which sheds any light on how to make use of this
mechanism.
So...
Could someone point me in the direction of some documentation about
utilizing and deploying snort sensors that relay information to a
central back-end server?
Thanks and regards,
Wendell
[vbcol=seagreen]
> On Fri, 2004-09-10 at 15:39, McCash, John wrote:
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| McCash, John 2004-09-10, 5:46 pm |
| Wendell,
You only need all of those things on your back end database
server. The sensors (as I recall) will require mysql to be installed,
because the snort binary references the mysql library (unless you link
it statically). You don't need an actual database installed on the
sensor though. Just configure the database output plugins on all of your
sensors to report to the database on your database/web server, and
you're good to go. You don't have to run the database and the web
servers on the same machine either, if you don't want to.
John McCash
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Wendell
Smith
Sent: Friday, September 10, 2004 2:31 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] General snort question
Hey all!
So I have just installed Snort/Acid on a test server of mine and for the
most part, I'm really enjoying the functionality these two apps provide.
I would like to deploy this IDS on my WAN exposed servers.=20
My question to the list is:
Can I do this in a way such that I don't have to install Snort, Acid,
Apache, PHP, MySQL, etc on each of these WAN exposed machines.
I saw that logsnorter provides a way to do this but that it is no longer
supported. I have also read a little something about ethertaps but would
rather not recompile the kernels of 5-8 machines.
Thanks and regards,
Wendell Smith
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.=20
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....t=3Dsnort-users
---------------------------------------------------------------------------=
---------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information. =20
If you have received it in error, please notify the sender
immediately and delete the original. Any unauthorized use of
this email is prohibited.
---------------------------------------------------------------------------=
---------------------
[mf2]
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Alex Butcher, ISC/ISYS 2004-09-22, 10:25 pm |
|
--On 10 September 2004 16:07 -0400 Wendell Smith <wendels@castlebranch.com>
wrote:
> I only found one reference to the word "sensor" in the entire Snort
> manual. I grep for "sensor" in the install/doc dir and I find only two
> instances of the word. Neither of which sheds any light on how to make
use > of this mechanism.
>
> So...
>
> Could someone point me in the direction of some documentation about
> utilizing and deploying snort sensors that relay information to a
> central back-end server?
The usual way is to use the database output plugin, or one of the spool
processors out there (i.e. barnyard, FLoP or mudpit) and a SQL database
(MySQL and PostgreSQL are the usual choices).
> Wendell
Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|