not registered? can't login? user preferences

Deployment Issues

Securing communication between snort and the database

When logging alerts to the database across the network, certain or all parts of this communication may occur in clear-text. Hence, the database password and/or the raw SQL may be revealed. Check the documentation of the database being used to determine the best authentication mechanism (e.g., password, Kerberos) and whether it is possible to encrypt communication.

Another possible consideration, independent of a particular database's capability, is to use a port wrapper such as stunnel to encrypt communication.

Logging to multiple databases from single instance of Snort

It is possible to log to multiple database from a single instance of snort. Merely configure multiple database output plugin instances, each pointing to a different database.

Note: There is a known issue of using domains sockets when logging to multiple PostgreSQL databases. Use TCP/IP logging for this configuration.

Logging to the same database from the two instances of Snort on the same machine monitoring the same interface

When multiple identically configured instances of snort log to the same database, it is mandatory to set the "sensor_name" parameter in the database plugin configuration to aid in uniquely identifying the alerts in the database.

Tuning the database

MySQL

http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Optimisation.html#MySQL_Optimisation

PostgreSQL

http://www.ca.postgresql.org/docs/momjian/hw_performance/

Snort DB logging: Deployment
[ Home | < | > ]