Hi Vladimir,
1. You use BPF filter to avoid that both instances see the same
traffic (why do you want to be alerted on both interfaces for
> the same packet?)
I use snort on 2 interfaces because I wait that some attacks can be going
from DMZ to local net.
If snort will listen only on external interface, then I risk pass potential
attacks from DMZ to local net.
But I have a lot of traffic from external to DMZ networks. And a lot of
duplicates alerts.
May be I have some errors in configuration snort? Does really important that
snort listen on DMZ interface?
no, but you should avoid to scan the same packets a second time. All you
will get a duplicate alerts and in this case duplicate signatures in the
database.
Maybe you should exclude DMZ traffic on the snort sensor of the external
interface? (This of course depends on your filter rules at all. You want
to see attacks, so if they are alreday blocked at the external interface
you will not see them in the DMZ....)
2. You insert all signatures in the database before you start snort.
-> In this case all queries for signatures will succeed.
I think about this. But every time then I update snort rules, I need to
insert fresh signatures to the database... I can do that. As a last
resort...
No, the perl script will only add new signatures. Depending on your setup
you can invoke it with only the new rules.
Think about a second point: If all signatures are already part of the
database then snort does not need to insert them. You can save a lot
of processing time. Maybe you coud miss some packets during snort is
inserting a new signature? (This is still possible if you insert an
alert. Therefore most people prefer a solution where the database
insertion is a decoupled process from snort.)
But I wan't to solve this problem by correct snort configuration...
I suspect that this is not possible, yet. The database plugin has to
be extended to use a LOCK on the signature table. Should not be a big
deal at all, except that it is not part of the SQL standard, I think.
(Although at least MySQL and PostgreSQL support it.)
But then one has to be sure, that the lock is removed if snort gets
restarted if it holds the lock...
Best regards
Dirk
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
