Snort Installation Scenarios
25
In a production installation, you also need to implement startup and shutdown pro
cedures so that Snort automatically starts at boot time. If you are installing a precom
piled version for Linux, the installation procedure with RPM will take care of it. On
Microsoft Windows systems, you can start Snort as a service or put a batch file in the
startup group. Issues related to Microsoft Windows are covered in Chapter 8. The log
ging is done in text or binary files and tools like SnortSnarf can be used to analyze data.
SnortSnarf is discussed in Chapter 6 in detail.
2.1.3
Single Sensor with Network Management System Integration
In a production system, you can configure Snort to send traps to a network man
agement system. There are a variety of network management systems used in the enter
prise. The most popular commercial systems are from Hewlett Packard, IBM and
Computer Associates.
Snort integration into these network management systems is done through the use
of SNMP traps. When you go through the compilation process of Snort later in this chap
ter, you will learn how to build SNMP capability into Snort. Chapter 4 provides more
information about configuring SNMP trap destinations, community names and so on.
2.1.4
Single Sensor with Database and Web Interface
The most common use of Snort should be with integration to a database. The data
base is used to log Snort data where it can be viewed and analyzed later on, using a
web based interface. A typical setup of this type consists of three basic components:
1. Snort sensor
2. A database server
3. A web server
Snort logs data into the database. You can view the data using a web browser con
nected to the sensor. This scheme is shown in Figure 1 1 in Chapter 1. All three compo
nents can be present on the same system as shown in Figure 1 2 in Chapter 1.
Different types of database servers like MySQL, PostgresSQL, Oracle, Microsoft
SQL server and other ODBC compliant databases can be used with Snort. PHP is used
to get data from the database and to generate web pages.
This setup provides a very good and comprehensive IDS which is easy to manage
and user friendly. You have to provide a user name, password, database name and data
base server address to Snort to enable it to log to the database. In a single sensor
scheme where the database is running on the sensor itself, you can use localhost as
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved