[Snort-users] Re: About to setup snort

Richard Bejtlich taosecurity at ...11827...
Thu May 20 20:59:17 EDT 2004


Shaun T. Erickson wrote:

The central server would have a mysql database with an acid front-end.
I've heard that acid doesn't send alerts (I could be wrong), so the
plan would be to have an additional (as yet undetermined) program
access the database and send out email/pager alerts as needed....

One sensor will be running on FreeBSD. I see there is a port for
snort, but I cannot find one for barnyard. Is there one?

--

Hi Shaun,

You will probably quickly discover that ACID and other Web-based alert
browsers don't give you the full content or session data you need to
do real investigations.  If you get frustrated with ACID, consider
Sguil (sguil.sourceforge.net).  When you use Sguil, you realize a
Snort alert isn't the end of the story -- it's only the beginning.

You can tell Sguil to email you alert information if you so desire. 
Currently it does not accept alert data from sources other than Snort,
so it's not a "complete solution" to your problem.

I will be releasing Sguil 0.4.0 install docs for FreeBSD within the
next week.  The current docs explain how to install 0.3.1, but 0.4.0
has some new features.  I also plan to update the dependencies.  I
hope to time the doc release with Snort 2.1.3.

Concerning Barnyard on FreeBSD -- there is currently no port. 
However, you can get 0.2.0 to compile fine from source with MySQL
4.0.x if you follow my hint from this thread:

http://www.mcabee.org/lists/snort-users/May-04/msg00240.html

I also run full Sguil sensor and server installs on Red Hat Linux 9.0.

Good luck,

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list