Snort

[shrumhead]

This is probably a stupid question but I am a complete novice with snort and IDS systems but I was curious if you could just have one box do the database/sensor work for snort? I am in a very small network, 50 computers probably and my boss wanted a snort server for whatever reason. I know my way around FreeBSD well enough to give a go at this but I hear it's a major pain in the butt. Anybody with lots of experience with snort that can shed some light on a poor novice ?

Thanks much,

...Shrum

 

[Xipher]

You can have snort log its alerts to a database, via the configuration. You can also use barnyard to do it as well, since snort will die if it the connection to the DB is lost. I have found that BASE is a good front end for the database.
Also, Oinkmaster can help you keep up to date on your snort rules, and check out Bleedingsnort for some more rules. As for integrating all of this, I don't know or have a link to any tutorials.

 

[shrumhead]

I've read enough to understand how snort works; I was just curious about my first question there. I found a few tutorials and all of them specify seperate computers for databases/sensors. We have one really powerful server machine sitting around and I can put up to 4 NICs in it. The reason I want to do it all on one computer is that the only other machine we have not in use is a POS.

If anybody knows I would be greatful for the help.

 

[Xipher]

Simply run all the services on that machine, and tell snort/barnyard and BASE (or whatever you use) to use localhost for the DB server.

 

[MorfiusX]

I've read enough to understand how snort works

The information on Snort's site is very helpful. It gives all the background you need to understand what is going on.

http://snort.org/docs/

 

[Bean Dip]

This site has a good writeup on setting up a Snort standalone box.

He lays it out in easy to do steps. The only thing I wish I had time to go a step further and figure out the Squil frontend