[Snort-users] Best way to deploy snort

Kum Weng Luey kumwengluey at ...11827...
Tue Apr 6 21:42:48 EDT 2010

Yet another question. I tried installing barnyard2 somehow it's not pushing
data to the mysql server. However, when i shutdown barnyard2, packages being
read from the spool or .alert files. I have copied my configurations from
barnyard to barnyard2. Why is this so?

Thank you paul for answering my initial query.


On Wed, Apr 7, 2010 at 2:48 AM, Paul Schmehl <pschmehl_lists at ...14358...>wrote:

> --On Tuesday, April 06, 2010 09:51:40 +0800 Kum Weng Luey <
> kumwengluey at ...11827...> wrote:
> Hi all,
>> I was wondering what would be the optimal setting to deploy snort with
>> base
>> and barnyard.
> 1) Don't use barnyard.  Use barnyard2.
> I am thinking of separating the mysql database from snort
>> itself and place it on a remote server.
> That's up to you.  Either way will work.  Depending upon how much
> horsepower your box has (cpu and memory) snort and mysql can coexist on the
> same box.
> I am wondering do I need to have an
>> additional interface for snort ? One interface for sniffing and the other
>> to
>> push alerts to the mysql server.
> Yes.  Once interface for passive sniffing, and one interface for management
> of the box.  It doesn't matter if mysql is local or remote.  You will still
> need two interfaces.
>> One last question: Would snort be better off being placed in the DMZ to
>> sniff
>> incoming traffic or within the internal LAN between the router and the
>> firewall.
> That depends entirely upon your network topology and what you want to
> monitor. Snort will "see" whatever traffic passes its passive interface.
>  What traffic that is depends upon what you are trying to accomplish.
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100407/5ef02b4b/attachment.html>

More information about the Snort-users mailing list