Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Unknown Sensor

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 21 Feb 2003 15:26:33 -0600
I had this same problem.  It was easily fixed by adding the
"sensor_name" variable to the "output database:" variable, like this:
output database: log, mysql, user=snort password=snort dbname=snort
host=localhost sensor_name={your-sensor-name-here}
 
The sensor_name can be anything you want it to be; hostname, arbitrary
value (like gateway, dmz, whatever), or just "sensor1".
 
It's in the docs.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



        -----Original Message-----
        From: James M. Driskell [mailto:jdriskell () ups edu] 
        Sent: Friday, February 21, 2003 2:50 PM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] Unknown Sensor
        
        

        Hi all.

         

        I'm stumped.  I'm running two sensors feeding a single snort
mysql database.  I stop and restart each sensor daily to clear and
rebuild the alert and scan.logs on the sensors.  Otherwise these files
fill up the hard drives of the sensors.  I always wind up with an
unknown sensor replacing the snort1 sensor.  I've even created separate
mysql user names and passwords for each sensor but that didn't seem to
help.  I appreciate any help solving this problem.

         

        mysql> select * from sensor;

        
+-----+----------------------+-------------+-----------+---------+------
-------+------------+

        | sid  | hostname        | interface | filter     | detail |
encoding | last_cid |

        
+-----+----------------------+-------------+-----------+---------+------
-------+------------+

        |   1  | snort1:eth1      | eth1       | NULL   |       1 |
0 |     3409 |

        |   2  | snort2:eth1      | eth1       | NULL   |       1 |
0 |          0 |

        |   3  | unknown:eth1  | eth1       | NULL   |       1 |
0 |          0 |

        
+-----+----------------------+-------------+----------+---------+-------
------+------------+

        3 rows in set (0.00 sec)

         

        I'm running linux 7.3, snort 1.9, php 4.1.2 and acid 09.6b23 and
mysql 3.23.54a

         

        Thanks in advance.

         

        Jim Driskell

        University of Puget Sound
Previous By Date Next
Previous By Thread Next

Current thread: