[Snort-users] About to setup snort

Shaun T. Erickson ste at ...11690...
Thu May 20 13:58:08 EDT 2004


I'm about to embark on seting up snort on our networks. The plan is to 
have a number of sensors (3) that outputs alerts, and related logged 
packets, in unified format. Each sensor would also run barnyard, to pick 
up the logged alerts and packets and send them to a central server, for 
analysis. The central server would have a mysql database with an acid 
front-end. I've heard that acid doesn't send alerts (I could be wrong), 
so the plan would be to have an additional (as yet undetermined) program 
access the database and send out email/pager alerts as needed. It's also 
hoped that the mysql/acid setup could also receive, store and process 
syslog information coming from two sonicwall firewalls and an iptables 
firewall, and alert us as needed, based on that information, as well.

Our networks are small, and with a small number of servers and clients. 
Until such a time as we can afford switches that support a monitoring 
port, we are replacing our 100Mb switches with 100Mb hubs, so that we 
can get access to all the traffic. Each sensor will be plugged into the 
network it's to monitor, twice - once for normal access to the sensor, 
via ssh, for the sensor to send it's data to the central server, etc., 
and once with a nic in promiscuous mode for capture purposes.

Does this all sound reasonable?

Another question: One sensor will be running on FreeBSD. I see there is 
a port for snort, but I cannot find one for barnyard. Is there one? The 
other sensors will be running on (for the moment) Red Hat 8 and Red Hat 
Advanced Server 2.1 (I'm forced to run my sensors on existing servers, 
for the time being. Later, I'll be allowed to by dedicated systems.) Are 
there RPMS for the latest versions of snort and barnyard for those two 
platforms? My central server is dedicated, btw.

I'm to embark on this tomorrow. Any insights/advice and so on is most 
welcome. TIA.

	-ste




More information about the Snort-users mailing list