[Snort-users] Snort, BASE, and FRW

Joao Daniel Neves joaodanielnevesss at ...125...
Wed Sep 26 07:33:06 EDT 2012


> you obviously do not have BASE looking to the loggings of both sensors... either

As far as I know BASE wont do logging. Snort/BARNYARD2 will do it. Base is just a front-end to
the manage the database. 

> that OR they are not both posting to the same place that base is reading from...

I have cheked it twice, they are logging for the same place that base is reading. 
 
> OR they are not differentiating their postings by their sensor ID...
I dont know if it is possible since sensor names, are 'hostname:interface'

The logs files (/var/log/snort) from frw2 are empty. So, problably snort/BARNYARD2 is not logging anything! 




> Date: Wed, 26 Sep 2012 00:07:08 -0400
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort, BASE, and FRW
> 
> On 9/25/2012 10:00, Joao Daniel Neves wrote:
> > Snort Users,
> >
> > I'm deploying a snort installation. The enviroment is a bit simple
> > two firewalls. The second firewall is for high-availibilty.
> >
> > Of course, Snort is running in both firewalls. ;-)
> >
> > However, BASE only shows one sensor (with alerts from frw1). Is this acceptable?
> > Is the the correct behavior?
> 
> you obviously do not have BASE looking to the loggings of both sensors... either 
> that OR they are not both posting to the same place that base is reading from... 
> OR they are not differentiating their postings by their sensor ID...
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120926/067674a9/attachment.html>


More information about the Snort-users mailing list