[Snort-users] Best way to deploy snort

Paul Schmehl pschmehl_lists at ...14358...
Tue Apr 6 14:48:24 EDT 2010


--On Tuesday, April 06, 2010 09:51:40 +0800 Kum Weng Luey 
<kumwengluey at ...11827...> wrote:

> Hi all,
>
> I was wondering what would be the optimal setting to deploy snort with base
> and barnyard.

1) Don't use barnyard.  Use barnyard2.

> I am thinking of separating the mysql database from snort
> itself and place it on a remote server.

That's up to you.  Either way will work.  Depending upon how much horsepower 
your box has (cpu and memory) snort and mysql can coexist on the same box.

> I am wondering do I need to have an
> additional interface for snort ? One interface for sniffing and the other to
> push alerts to the mysql server.

Yes.  Once interface for passive sniffing, and one interface for management of 
the box.  It doesn't matter if mysql is local or remote.  You will still need 
two interfaces.

>
> One last question: Would snort be better off being placed in the DMZ to sniff
> incoming traffic or within the internal LAN between the router and the
> firewall.
>

That depends entirely upon your network topology and what you want to monitor. 
Snort will "see" whatever traffic passes its passive interface.  What traffic 
that is depends upon what you are trying to accomplish.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-users mailing list