[Snort-users] 1.8.7 vs 1.9.0

Bennett Todd bet at ...6163...
Fri Jan 10 11:04:05 EST 2003


2003-01-10T11:36:49 Saul Bosquez:
> Ok guys I already installed the 1.8.7 following directions from
> http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf so please give me
> some directions to remove it completely from the machine so I can
> install the 1.9.0 version without conflicts.

That doc seems to recommend

	./configure --with-mysql
	make
	make install

I've not done the --with-mysql but, but AFAIK the "make install"
part will simply install the snort executable in /usr/local/bin/ and
man page in /usr/local/man/man8/; and so the 1.9.0 make install will
simply overwrite them. I.e., you don't have to do anything.

> What updates do I need from
> http://www.redhat.com/support/errata/rh73-errata.html to get the
> snort running smoothly?

None. If you want to run various Red-Hat-provided services and avoid
security problems, you should update those services, but Snort runs
fine on stock RH73. Installing all the updates RedHat publishes that
apply to packages that you have installed is generally good admin
hygiene, but isn't specifically critical to Snort.

> About the topology.. I have to machines available for this project: 
> 1- a proliant dl360 server with 2 ethernet cards 
> 2- a celeron 500Mhz with 64Mb RAM and a 10gig hdd and 1 ethernet card
> What configuration do you recommend guys?

If traffic isn't an issue, then I'd run snort on the dual-interface
proliant, and run MySQL and ACID on the one-interface box; I'd run
ipchains or iptables configured to tightly restrict access to that
box. The snort box would have one interface unnumbered with snort
listening on it (I'd use eth1 for that) and the other would be the
numbered management interface, it'd send its DB updates to the DB
box through that interface.

I'd ssh into the DB box to run ACID.

I suspect (although I don't know for sure) that the MySQL server
would actually have to work harder than the snort box, unless you've
got your config tuned so you trip very few alerts. If that's so,
then if your traffic levels are high enough, you might have to
reverse the roles of the two boxes, even though that'd leave you in
the unfortunate situation of being unable to use an unnumbered
interface for snorting.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030110/ce961089/attachment.sig>


More information about the Snort-users mailing list