Ok, now I am a bit confused.
When you start snort with the -c opton, does that point to the rule file or
the snort.conf?
I am missing something. I can't get this. I read a document from
www.incident.org/snortdb/
I am kinda lost.
Please help if you can
-----Original Message-----
From: Mike Baptiste [mailto:[EMAIL PROTECTED]]
Sent: 20 February 2001 17:10
To: Langa Kentane
Subject: Re: [Snort-users] IDS Deployment -- opinions please...
See the file README.database in the snort distribution. YOu create the
table, feed in a schema file, and them setup snort to pump data to the
database using the output databse command
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=snort dbname=snort host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
Mike
Langa Kentane wrote:
> Would you care to give me information of where I can find info on creating
> such a setup. I am particulaly interested in how to send data from a
sensor
> to a database machine.
>
> Thanks
>
> -----Original Message-----
> From: Mike Baptiste [mailto:[EMAIL PROTECTED]]
> Sent: 20 February 2001 13:59
> To: Langa Kentane
> Subject: Re: [Snort-users] IDS Deployment -- opinions please...
>
>
> I don't believe multiple interfaces are supported right now. Probably
> the best setup is to run a sensor inside and outside the firewall on
> different machines. The trick is getting the outside data INTO your
> network in a secure manner (we use IPSec)
>
> When multiple snort instances send data to the same database, they are
> tagged with a unique sensor ID which allows you to filter based on where
> the alerts came from. WE currently have 3 machines running snort
> sending data to a 4th database machine. Works great.
>
> Mike
>
> Langa Kentane wrote:
>
>
>> Greetings.
>> We will be deploying snort as our IDS in our company. The setup that I
>
> have
>
>> in mind is the following:
>>
>> One host with two interfaces. One of the interfaces does not have ap ip
>> address assigned and is outside the firewall connected to a switch by
>
> means
>
>> of a read only cat 5 100BastTX cable. The other interface is internal
>
> with
>
>> an illegal IP [192.168.x.x for example] doing intrusion detection inside
>
> the
>
>> firewall.
>>
>> How would you rate this setup. Is this a good idea. Can someone suggest
>> other ideas. How is your IDS setup.
>>
>> Also, when logging, will I be able to tell from snort which interface a
>> packet came from.
>>
>> Thanks in advance.
>> _________________________________________________________
>> Langa Kentane | Tel: [011] 290 3218
>> Security Administrator | Cell: 082 606 1515
>> [CNA MCSE CCSA CCNA] | www.discoveryhealth.co.za
>> _________________________________________________________
>>
>> _______________________________________________
>> Snort-users mailing list
>> [EMAIL PROTECTED]
>> Go to this URL to change user options or unsubscribe:
>> http://lists.sourceforge.net/lists/listinfo/snort-users
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Baptiste [EMAIL PROTECTED]
Mebane, NC http://www.baptistefamily.net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
