[Snort-users] IDS Topology

Erek Adams erek at ...950...
Thu Jan 9 21:37:02 EST 2003


On Thu, 9 Jan 2003, Saul Bosquez wrote:

> Im runnin' Redhat 7.3 on a Compaq proliant server and Im trying to
> install snort 1.8.7 on it.
> On the setup guide in the conceptual IDS topology section, there are 3
> sensors and a centralized acid, mysql database.
> If i'm only using one sensor maybe would be easier to have the sensor
> and the database on the same machine and deploy it outside the
> firewalled network. What do you think guys?

Well...  There are better ways to do it, IMHO.  :)

If you have your sensor and DB on the same box, you're having to share
resources with Snort.  Depending on your traffic, that could be a very bad
thing.  If you have the spare box, place a sensor interface (stealth)
outside of your FW and log to a DB box on the inside.

If you don't have a spare box....  Well, do what you best can do.  :)  Or
'borrow' one from someone's desk.  ;-P

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list