AW: [Snort-users] IDS Topology

Poppi, Sandro Sandro.Poppi at ...3316...
Thu Jan 9 22:25:05 EST 2003

I fully agree with Erek. If you have another box use that for db.

I found that a box running snort and mysql decreases its performance the
more alerts are stored in the database and the more db accesses are run
(using ACID e.g.). Also the drop rate increases which in my eyes has to be
zero. This is even more true the more sensors are logging to the db.

Just my 2 cents.

So long,
> On Thu, 9 Jan 2003, Saul Bosquez wrote:
> > Im runnin' Redhat 7.3 on a Compaq proliant server and Im trying to
> > install snort 1.8.7 on it.
> > On the setup guide in the conceptual IDS topology section, 
> there are 3
> > sensors and a centralized acid, mysql database.
> > If i'm only using one sensor maybe would be easier to have 
> the sensor
> > and the database on the same machine and deploy it outside the
> > firewalled network. What do you think guys?
> Well...  There are better ways to do it, IMHO.  :)
> If you have your sensor and DB on the same box, you're having to share
> resources with Snort.  Depending on your traffic, that could 
> be a very bad
> thing.  If you have the spare box, place a sensor interface (stealth)
> outside of your FW and log to a DB box on the inside.
> If you don't have a spare box....  Well, do what you best can 
> do.  :)  Or
> 'borrow' one from someone's desk.  ;-P
> -----
> Erek Adams
>    "When things get wierd, the wierd turn pro."   H.S. Thompson
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> _______________________________________________
> Snort-users mailing list
> Snort-users at
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:

More information about the Snort-users mailing list