Snort mailing list archives
Re: Log to MySQL but without MySQL
From: Nibar Anonymous <novalupo () yahoo com>
Date: Fri, 1 Mar 2002 07:37:17 -0800 (PST)
I ran into this problem too: you shouldn't have to install databases or other trappings on sensor nodes. In my case I wanted to deploy snort host sensors on hardened (stripped down, locked down, special-purpose) nodes on my company's firewall perimeter, but centralize the database and console *behind* the firewall. The only files that should be deployed on exposed sensor nodes are the minimum: the snort daemon binary, a *copy* of the config/rule files, and the boot script. My solution was to use the snort "unified binary format" option and set the max log file size to the smallest possible (1MB). It was easy enough to write a perl script (I call "snortbot"--currently a 280-line commented script) to run on a central node protected behind the firewall that periodically connects out to each sensor (every 15 mins--or whatever), pull down the log files, clean up the old remote files, process the logs into a combined archive, etc. I'm currently using IP-restricted FTP, but I'm looking into sftp in the near future. I figured out I didn't really need a database since all of the data is time-series and can be preprocessed into summaries and stats easily. I used the perl Storable.pm module (check out CPAN) to store the alerts and packet dumps into a structured filesystem archive. The place I work for is fairly large, 30K ping-answering nodes (three class B netblocks plus misc. class C's), so I was surprised how well the file system scheme scaled. Also, fewer moving parts and dependencies means it's easier to deploy, host, and maintain. HOWEVER, I probably will next look into having snortbot feed the aggregated data into the MySQL schema (using the approp. perl DBI module), since many preexisting consoles rely on a database of some sort (I wrote my own minimal console in perl to access the file system archive). I'd like to contribute the script but it will take a bit of work to get it into general-purpose shape. If anyone is interested in seeing the as-is version (the perl unified binary format parsing routines may be of interest), let me know. I based the code on the snort C source header information, and didn't borrow from any other perl scripts, so it's possible I have duplicated some effort. --- Paul.Simons () ihsenergy com wrote:
OK Strange subject but I am trying to build a Snort Sensor which will log to a MySQL database on another machine. I don't want to have all the MySQL packages (and dependants) on the machine. I guess I have to have to have them there when I build Snort but I would like to know if anyone has done this and knows which bits of MySQL absolutely MUST be there for Snort to run? Regards
__________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log to MySQL but without MySQL Paul . Simons (Feb 28)
- Re: Log to MySQL but without MySQL Olaf Schreck (Mar 01)
- Re: Log to MySQL but without MySQL Nibar Anonymous (Mar 01)