[Snort-users] Centralized DB Server??

Marc Thompson Marc.Thompson at ...2101...
Tue Jun 12 16:44:03 EDT 2001


Kris,

>Are your sensors in different geographic locations?

Thank you for responding.  My sensors will be in several different
geographical locations.  I've been brainstorming this a bit, and it seems
that I should be able to easily ignore alerts that are being generated by
traffic to the MySQL TCP port.  Does this sound like the answer?

Thank you for your response,
Marc Thompson


-----Original Message-----
From: Kris Quinby [mailto:kquinby at ...2243...]
Sent: Tuesday, June 12, 2001 2:29 PM
To: Marc Thompson; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Centralized DB Server??


Are your sensors in different geographic locations?  If not you could have
two network interfaces in each NIDS, one with no IP on the network you are
watching, and one on a "management" network.  Then you could have your MySQL
data base on the management network collecting from all your sensors.

Kris

-----Original Message-----
From: Marc Thompson [mailto:Marc.Thompson at ...2101...]
Sent: Monday, June 11, 2001 7:21 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Centralized DB Server??


I would like to use a IDS architecture using Snort and MySQL 
that utilizes multiple NIDS across many routers and sites, but
only one database to collect alerts.

My question is, wouldn't the action of sending an alert to a
centralized database set off the same rule on a NIDS box sitting
between the alert source and the remote database?

Is the only way to prevent this double-logging of alerts to specify
that the 'in-between' NIDS should ignore traffic from the remote NIDS
to the central database server?  If so, is there a standard way of
specifying this in the Snort configuration file? (ignore traffic
globally to the MySQL TCP port?)

Thank you in advance,
Marc Thompson


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list