[Snort-users] Remote NIDS

Dirk Geschke Dirk_Geschke at ...1344...
Thu Dec 11 00:30:02 EST 2003


Hi Chris,

> I am looking for a method to have remote NIDS log alerts to a central
> SNORT/Acid box running MySQL and Redhat 9.0.
> Anyone have a link for docs on this or recommendations?

there are several solutions available:

1. The easiest is the database output plugin from snort. Look
   at the snort.conf how to activate it.

2. Barnyard (http://www.snort.org/dl/barnyard/), this program
   uses the unified output plugin and can forward the alerts
   direct to the TCP/IP interface of a central database.

3. Mudpit (http://www.fidelissec.com/mudpit.html), this is similar
   to barnyard and uses also the unified output plugin of snort.

4. FLoP (http://www.geschke-online.de/FLoP). This project uses
   a unix domain socket to get the alerts from snort, no local
   files are used. These alerts are forward to a central server
   where they are buffered and then feeded via a unix socket 
   into the database. This should be the fastest solution since
   there is less network traffic between the sensor and the central 
   server.

I would recommend point FLoP (I am the author of it... ;-))

Best regards

Dirk
--
+-------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...1344...      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |
+-------------------------------------------------------------+






More information about the Snort-users mailing list