Distributed Snort Architecture
It would present a real problem if gigabytes of data had to be stored on the same physical box that Snort was running on. Fortunately, Snort uses an n-tier architecture. N-tier architectures are fairly common. Large applications are rarely handled by one application on one box; scalability and security are chief concerns with a single tier architecture. Snort is most typically installed in a 3-tier architecture, but is flexible enough to accommodate a single-tier (the hybrid sensor/server) to four tiers (departmental clusters).
First Tier—The Sensor Tier
The first tier, known as the sensor tier, is where network traffic passes to be monitored for intrusions. The sensor acts like a digital vacuum: It grabs packets ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.