AW: Multiple Snort sensors

["Poppi, Sandro" <Sandro.Poppi () wacker com>]

Fermin,

I would suggest 2 alternatives:

1. Use the output plugin alert_syslog in snort.conf to log to syslog and
forward all syslog entries from snort to a central syslog. On a RedHat linux
this would be:

Server
/etc/sysconfig/syslog:
SYSLOGD_OPTIONS="-m 0 -r"

/etc/syslog.conf:
local0.*                /var/log/messages

Remote "Client"
/etc/syslog.conf:
local0.*                @<ip/hostname of syslog server>

/etc/snort/snort.conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT LOG_PID

2. Use barnyard when performance of snort is an issue:
let snort use output plugin alert_unified to log to a local file and let
barnyard take that file as input to log to a central station. This could
also be a central database server like mysql.

For barnyard related stuff take a look on www.snort.org and/or
sourceforge.net/projects/barnyard.

HTH,
Sandro

> Hello everyone.
>
> I would like if it is posible to have multiple Snort sensors
> running simultaneously in different hosts outputing logs to
> the same place or if it nos possible due to some concurrence 
> problems.
>
> I mean,
>
> snort -l log [...] in host1
> snort -l log [...] in host2
> snort -l log [...] in host3
>
> where log is a shared directory (via NFS, for example).
>
> Thanks in advance.
>
> ------------
> Fermin Galan
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users