[Snort-users] About to setup snort
Shaun T. Erickson
ste at ...11690...
Thu May 20 13:58:08 EDT 2004
I'm about to embark on seting up snort on our networks. The plan is to
have a number of sensors (3) that outputs alerts, and related logged
packets, in unified format. Each sensor would also run barnyard, to pick
up the logged alerts and packets and send them to a central server, for
analysis. The central server would have a mysql database with an acid
front-end. I've heard that acid doesn't send alerts (I could be wrong),
so the plan would be to have an additional (as yet undetermined) program
access the database and send out email/pager alerts as needed. It's also
hoped that the mysql/acid setup could also receive, store and process
syslog information coming from two sonicwall firewalls and an iptables
firewall, and alert us as needed, based on that information, as well.
Our networks are small, and with a small number of servers and clients.
Until such a time as we can afford switches that support a monitoring
port, we are replacing our 100Mb switches with 100Mb hubs, so that we
can get access to all the traffic. Each sensor will be plugged into the
network it's to monitor, twice - once for normal access to the sensor,
via ssh, for the sensor to send it's data to the central server, etc.,
and once with a nic in promiscuous mode for capture purposes.
Does this all sound reasonable?
Another question: One sensor will be running on FreeBSD. I see there is
a port for snort, but I cannot find one for barnyard. Is there one? The
other sensors will be running on (for the moment) Red Hat 8 and Red Hat
Advanced Server 2.1 (I'm forced to run my sensors on existing servers,
for the time being. Later, I'll be allowed to by dedicated systems.) Are
there RPMS for the latest versions of snort and barnyard for those two
platforms? My central server is dedicated, btw.
I'm to embark on this tomorrow. Any insights/advice and so on is most
More information about the Snort-users