Re: Snort, BASE, and FRW

[Joao Daniel Neves <joaodanielnevesss () hotmail com>]

> you obviously do not have BASE looking to the loggings of both sensors... either

As far as I know BASE wont do logging. Snort/BARNYARD2 will do it. Base is just a front-end to
the manage the database. 

> that OR they are not both posting to the same place that base is reading from...

I have cheked it twice, they are logging for the same place that base is reading. 
 
> OR they are not differentiating their postings by their sensor ID...
I dont know if it is possible since sensor names, are 'hostname:interface'

The logs files (/var/log/snort) from frw2 are empty. So, problably snort/BARNYARD2 is not logging anything! 




> Date: Wed, 26 Sep 2012 00:07:08 -0400
> From: wkitty42 () windstream net
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort, BASE, and FRW
>
> On 9/25/2012 10:00, Joao Daniel Neves wrote:
> > Snort Users,
> >
> > I'm deploying a snort installation. The enviroment is a bit simple
> > two firewalls. The second firewall is for high-availibilty.
> >
> > Of course, Snort is running in both firewalls. ;-)
> >
> > However, BASE only shows one sensor (with alerts from frw1). Is this acceptable?
> > Is the the correct behavior?
>
> you obviously do not have BASE looking to the loggings of both sensors... either 
> that OR they are not both posting to the same place that base is reading from... 
> OR they are not differentiating their postings by their sensor ID...
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!