RE: Snort + Demarc Remote logging?

[Ryan Hill <rhill () xypoint com>]

Matt,

You should be able to do this while running Demarc on your OpenBSD box.  You
mentioned that you have mysql installed on the openbsd box, so you should be
set.

To save yourself some heartache,  make sure you're using the same version on
both systems.  Also, you may want to make sure you can resolve your windows
hostname and/or IP and connect to the mysql port on your windows box from
your bsd box to make sure network connectivity won't be a problem.

To setup your console to run from your bsd box, you need to point the
console config to your windows host.  You can either do this by specifying
the host and login information at install time, or for an existing install,
take a look at /usr/local/puresecure/console/cgi/puresecure_config.pm (by
default).

puresecure_config.pm example:

$conf{'db_user'} = "user";
$conf{'db_passwd'} = "password";
$conf{'db_host'} = "localhost";
$conf{'db_name'} = "IDS";
$conf{'db_port'} = "3306";

To setup remote logging, you need to point each of your sensors to the
remote box by specifying the host and login information as part of the
install, or to modify an existing sensor, check your sensor.conf files which
are located is /usr/local/puresecure/sensor/conf by default.  Don't forget
to update your snort.conf output configs in the console.  Repeat this
process for each sensor you're running on the bsd box.

psd.conf example:

db_user = "user"
db_password = "password"
db_host = "localhost"
db_name = "IDS"
db_port = "3306"

snort.conf example:

output database: alert, mysql, user=user dbname=IDS
sensor_name=MySpecialSensor sid=1 password=password host=localhost

Regards,

Ryan Hill
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com


> -----Original Message-----
> From: diwelf [mailto:diwelf () rogers com] 
> Sent: Sunday, May 12, 2002 8:59 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort + Demarc Remote logging?
>
>
> Hi,
> I'm sure this is probably a really stupid question, But I 
> just couldn't 
> find my answer anywhere on google or in mailing lists. So, here goes.
>
> What i'm trying to do is the following:
>
> ----> internet --> Openbsd (gateway/nat/snort) ->> switch ->> internal
>
> What i'm trying to do, is get snort running on the openbsd box, then 
> sending the logs it creates to a mysql server on my windows 
> box, inside 
> the network. I'm trying to monitor all the attempts on my firewall. I 
> have mysql, apache +ssl, demarc installed on the windows box. Now, my 
> question is, is this possible without running two copies of 
> demarc? (one 
> on the router, one on the windows box?). The logs seem to be getting 
> sent to the database, i'm just unsure as to how to setup 
> demarc to read 
> them properly i guess. I've been trying for three days straight and i 
> just can't figure this out. Or, is there a better solution? Thanks.
>
> Matt
> diwelf () nospam gmx net
>
>
>
>
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download 
> mirrors. We supply
> the hardware. You get the recognition. Email Us: 
> bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users