tarballed
May 25th, 2003, 16:20
Ok. I just put up OpenBSD 3.3 with the new PF and I Like it!
Now, I am going to put on snort so I can do some more fun stuff.
I have a couple of questions though.
I know that elmore has put up a great How-To, however I wanted to ask a few questions about what is needed and rules and such.

First, is it recommended or required to have a database installed on the server to hold the log files? Since I have pretty much stripped my OpenBSD install to run as little processes as possible, what is the general rule if I need to setup a database for my snort logs? Should I install it on the firewall, or another server on my intranet?

Second. I see that snort 2.0 is out. But, I see there are two different rule sets that you can download; current and stable. Im guessing that the current rules go with 2.0?

Thanks everyone. Looking forward to putting up my hog!

Tarballed

bsdjunkie
May 25th, 2003, 22:12
You do not need a database to use store logs. Snort will log in many different formats, including a standard binary tcpdump. 2.0 is considered stable now, so the current rules will be following cvs.

tarballed
June 8th, 2003, 03:30
Alright....i've finally got some free time (finally) and I want to really start using snort on my home network. I have some questions that I wanted to get cleared up with so I know where to begin.

I've read quite a few documents that suggest setting up MySQL in conjunction with snort...(Apache, PHP and ACID are others i've seen documented as well)

However, since im just getting started, would it be beneficial, for now, to just put snort on and then add other features later? I would really like to eventually add all the goodies, but I want to 'learn' IDS here.

Secondly, and this may sound comical, but I install snort on the firewall itself, correct?

As it is now, im running OpenBSD 3.3 as my firewall, and it pretty much does not run anything else. Just a straight firewall, with no extra services, ports or anything that could possibly any extra vunerabilities.

So, my home network as:
OpenBSD 3.3 as the firewall
Dual boot of FreeBSD 4.8 and Slackware 9.0
WIndows 2000

Plus, i'm picking up two extra machines for work, so I can have more toys.

I'd just like to get some input on where to begin here.

Thanks guys.
Tarballed

elmore
June 8th, 2003, 04:10
well sure you can just compile snort and log like junkie suggested for right now. You can always go back and add logging to a database later provided you compiled that support into the binary. You have to recompile otherwise.

You can and I reccomend to setup just snort on your firewall then log to a database server on another computer, perhaps your FreeBSD box. This is the typical way I usually set it up.

Hope this helps :) Glad to see you back around tarballed.

tarballed
June 8th, 2003, 05:13
I'll go ahead and get started here, see what i can do.
I'll currently compiling it right now. Once I start setting up rules, i'll be back. :)

Tarballed