[Snort-sigs] Doubts

wkitty42 at ...3507... wkitty42 at ...3507...
Wed Feb 10 09:02:34 EST 2016

On 02/10/2016 08:21 AM, ARUN LAL wrote:
> Hi All,
> Sorry for the confusion. Let me just clarify myself.  I know how to install
> Snort and Snorby on the same server and configure them to work together but
> right now, I need to use Snorby on my server to fetch the alerts from 3
> different remote servers that have Snort installed on each of them. I was hoping
> if you could provide me a step by step instruction or direct me to a suitable
> guide for the same.

i cannot direct you to any guides or explain how to do it but the general idea 
is this...

1. install snort on a sensor in each network you need to monitor.

2. install a tool like barnyard2 on each sensor.

3. setup a central database somewhere for all sensors to report to.

4. configure each snort with a specific identifier to keep alerts separated by 
sensor in the central database. (see the -G and -logid command line parameters)

5. configure each tool like barnyard2 to gather the alerts and insert them into 
the central database.

6. use whatever tool you like (snorby??) to monitor the alerts in the central 

the basic gist is that each sensor pushes its alerts to the central database 
where all the monitoring is being done... effectively, once you install one 
snort/barnyard2 combination, you duplicate it to all other sensors giving each 
sensor an id number via the -G command line option... then each sensor's 
barnyard2 will push the sensor's alerts to the central database and you can use 
whatever tool you like to monitor the database...

