Re: Problem with using 2 sensors

[Joel Esler <jesler () sourcefire com>]

On Oct 8, 2011, at 13:40, James Lay <jlay () slave-tothe-box net> wrote:

> 2)  Second, I was always under the impression that when setting up a Snort sensor, in order to keep it stealthy you 
> do not assign it an ip address.  If that is the case, then how do I do what you suggest?  I mean, if I set up eth1 as 
> follows:  "ifconfig eth1 0.0.0.0", then what ip address do I have MySQL bind to?  
You should have two interfaces. One for management an one for sniffing. Hopefully you can put them on different 
networks.  The management interface should have an IP and the sniffing interface should not. 



> 3) Third - when I had Snort/BASE running last week (when it would only report alerts on one sensor), I noticed that 
> the amount of data shown in BASE for each alert was kind of skimpy compared to the way it was when I had it set up in 
> the past.  So that leads me to output questions:
>
> Should I use "output database: log...." or "output database: alert" if I want to maximize what is captured by 
> Snort/MySQL.  

You shouldnt use either one. This output option will be removed completely in a future version of Snort.  The warnings 
about this should start coming up in the next version. 


> And in Barnyard2.conf should I use "output alert_fast" or "output alert_full"?

If you are using barnyard2 then you should be using the unified2 output method.  Not directly to database. 

> I have looked for the answers to all of these questions - I get conflicting info on them.  One more thing - If I can 
> ever get this set up successfully, I am going to write a config guide and submit it to Snort.org - I have looked thru 
> all of the guides that are currently posted there, and not one of them mentions half of the things that you all have 
> told me on this thread.  

We always welcome submissions if they make sense. The problem with Snort.conf setups is that they are different for 
every network you are on. No "standard configuration" is a one size fits all. The closest thing you have for that is 
the snort.conf that comes in the VRT ruleset. 

It turns on the appropriate settings, rulesets (vulnerability, malware, spyware, etc) and configurations that you 
should start with, and build from there, after you are comfortable doing so. 

Joel

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!