I have a question:
my Snort sensors have 2 network card; I want to set the sensor for to controll the net that is connected on the netcard A and send the result to a database that is on the net of netcard B.
There are people that know how I can to make this ??


Thank's very much

Blue_owl :)

p.s. (excuse me fo my English but I'm not mother tongue :D )

When you fire off snort, use the flag -i to select the device name. You can also go into your snort.conf and search for the string 'database'. It will give you a few 'suggestions' for options, usually to a mysql database. You could then use something like stunnel to send the encrypted database entries to a central mysql server.

Neb

neb...well said.

In addition, if you have not done so already, unbind the IP stack from the "sniffing" adaptor to prevent the box from being detected on your network. The only interface that should have an IP on an IDS box is the management interface.

I dont know what OS you are running, but if in linux(particularly red hat 7+) the document at the following link should be very helpful. Even if not running redhat, you can probably still get a lot of info from it.

http://www.snort.org/docs/snort-rh7-mysql.pdf