[ale] RE: Snort
Christopher Fowler
cfowler at outpostsentinel.com
Tue Aug 19 13:48:44 EDT 2003
I've got snort running with the standard distribution configuration
files. I've got it sending to the database and I'm using ACID. I'm
actively on the network. Should I see any thing on the
main ACID screen?
Queried on : Tue August 19, 2003 13:47:55
Database: snort at 192.168.2.5 (schema version: 106)
Time window: no alerts detected
Sensors: 1
Unique Alerts: 0 ( 0 categories )
Total Number of Alerts: 0
Source IP addresses: 0
Dest. IP addresses: 0
Unique IP links 0
Source Ports: 0
TCP ( 0) UDP ( 0)
Dest. Ports: 0
TCP ( 0) UDP ( 0)
That is what I see and I have traffic going back and forth. Maybe it only
sends data when an alert has been met?
On Tue, Aug 19, 2003 at 01:26:46PM -0400, sangell at nan.net wrote:
>
> It is a great tool. I set up Snort sensors on multiple boxes. Pre-Firewall,
> Post Firewall, DMZ, and set up and extranet. I pipe the output from the 3
> Snort boxes to the Extranet where a MYSQL database stores all the data. I
> set up an Apache Server and used A.C.I.D. to access the data in the SQL
> database. It all works very seamless and was fairly simple to setup. I
> found all the documentation I needed to set this up right off of Snort's
> website. I am sure there are other methods for setting this up but this was
> perfect for what I wanted which was a secondary IDS over my ISS Products. I
> am also going to set up a similar scenario at home as soon as I can isolate
> a few 300Mhz systems being retired.
>
> Good luck.
> \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> \_ Steve Angell, MCSE, CCNA _/
> \_ Senior MIS Manager, Operations _/
> \_ TSYS Debt Management _/
> \_ Norcross, GA _/
> \_ Phone 770-409-5570 _/
> \_ Fax 770-416-1752 _/
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>
>
> |---------+----------------------------->
> | | Christopher Fowler|
> | | <cfowler at outpostse|
> | | ntinel.com> |
> | | Sent by: |
> | | ale-admin at ale.org |
> | | |
> | | |
> | | 08/19/2003 01:20 |
> | | PM |
> | | Please respond to |
> | | ale |
> | | |
> |---------+----------------------------->
> >--------------------------------------------------------------------------------------------------------------|
> | |
> | To: ale at ale.org |
> | cc: |
> | Subject: [ale] RE: Snort |
> >--------------------------------------------------------------------------------------------------------------|
>
>
>
>
>
>
> This snort program is really cool. I've got it logging to a
> directory called /tmp/sno. It seems that you can have it go
> into a database. Will it dump the package data into th database or
> just the header info. I want to make sure the database does not
> grwo uncontrollably. My database is behind the firewall so I can just
> dump there. It may be feasible to create a wiretap.
>
>
> -- Rx [ ] --- [ ] Rx --
> -- Tx [ ] --- [ ] Tx --
> |
> | Rx
> [ ]
> [ ] Snort.
>
>
> Would this be correct cable configuration. I assume that I'll
> need to send Rx+ and Rx- to the IDS but do not need to worry
> about Tx+ and Tx-
>
> Chris
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list