Snort mailing list archives
RE: Snort + Demarc Remote logging?
From: Ryan Hill <rhill () xypoint com>
Date: Mon, 13 May 2002 12:04:26 -0700
Matt, You should be able to do this while running Demarc on your OpenBSD box. You mentioned that you have mysql installed on the openbsd box, so you should be set. To save yourself some heartache, make sure you're using the same version on both systems. Also, you may want to make sure you can resolve your windows hostname and/or IP and connect to the mysql port on your windows box from your bsd box to make sure network connectivity won't be a problem. To setup your console to run from your bsd box, you need to point the console config to your windows host. You can either do this by specifying the host and login information at install time, or for an existing install, take a look at /usr/local/puresecure/console/cgi/puresecure_config.pm (by default). puresecure_config.pm example: $conf{'db_user'} = "user"; $conf{'db_passwd'} = "password"; $conf{'db_host'} = "localhost"; $conf{'db_name'} = "IDS"; $conf{'db_port'} = "3306"; To setup remote logging, you need to point each of your sensors to the remote box by specifying the host and login information as part of the install, or to modify an existing sensor, check your sensor.conf files which are located is /usr/local/puresecure/sensor/conf by default. Don't forget to update your snort.conf output configs in the console. Repeat this process for each sensor you're running on the bsd box. psd.conf example: db_user = "user" db_password = "password" db_host = "localhost" db_name = "IDS" db_port = "3306" snort.conf example: output database: alert, mysql, user=user dbname=IDS sensor_name=MySpecialSensor sid=1 password=password host=localhost Regards, Ryan Hill Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
-----Original Message----- From: diwelf [mailto:diwelf () rogers com] Sent: Sunday, May 12, 2002 8:59 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort + Demarc Remote logging? Hi, I'm sure this is probably a really stupid question, But I just couldn't find my answer anywhere on google or in mailing lists. So, here goes. What i'm trying to do is the following: ----> internet --> Openbsd (gateway/nat/snort) ->> switch ->> internal What i'm trying to do, is get snort running on the openbsd box, then sending the logs it creates to a mysql server on my windows box, inside the network. I'm trying to monitor all the attempts on my firewall. I have mysql, apache +ssl, demarc installed on the windows box. Now, my question is, is this possible without running two copies of demarc? (one on the router, one on the windows box?). The logs seem to be getting sent to the database, i'm just unsure as to how to setup demarc to read them properly i guess. I've been trying for three days straight and i just can't figure this out. Or, is there a better solution? Thanks. Matt diwelf () nospam gmx net _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + Demarc Remote logging? diwelf (May 13)
- <Possible follow-ups>
- RE: Snort + Demarc Remote logging? Ryan Hill (May 13)