Hey all, I am extremely interested in snort after doing some more research. I have a cisco IDS now but snort is so much cheaper and more flexible at first look. I am designing my deployment in the same fashion as Tiger_Shark. Meaning, using Kiwi. I am guessing you just set snort to syslog to the kiwi box versus dumping it in mysql or some other database first? I could use a little clarity on that issue. I was also wondering if anyone is using a single box to monitor 3 sensors. For example, if I place 3 nics in a single Linux box can I monitor all 3 sensors with snort. Hmm would I even want to? That would make a single compromise point for the IDS system? How did you all handle multiple sensors with snort? I have some more questions but it's time to pull all the snort references from AO and go through that bit first.

EDIT/ I was looking at OLD documentation of Snort. Current version supports Syslog it seems.