[Snort-users] Centralized DB Server??

Marc Thompson Marc.Thompson at ...2101...
Mon Jun 11 10:21:12 EDT 2001


I would like to use a IDS architecture using Snort and MySQL 
that utilizes multiple NIDS across many routers and sites, but
only one database to collect alerts.

My question is, wouldn't the action of sending an alert to a
centralized database set off the same rule on a NIDS box sitting
between the alert source and the remote database?

Is the only way to prevent this double-logging of alerts to specify
that the 'in-between' NIDS should ignore traffic from the remote NIDS
to the central database server?  If so, is there a standard way of
specifying this in the Snort configuration file? (ignore traffic
globally to the MySQL TCP port?)

Thank you in advance,
Marc Thompson





More information about the Snort-users mailing list