Snort mailing list archives

Re: Multiple databases with snort

From: Jon <warchild () spoofed org>
Date: Thu, 13 Mar 2003 10:30:51 -0500

On Wed, Mar 12, 2003 at 10:54:54AM -0600, Counselman, Chris Contractor/Sverdrup wrote:

RH 8.0, ACID .9.6b22, snort 1.9.1, mysql
 
I would like to setup snort to log to two databases at once. I would like to do
this so I can have a real-time database that analysts can look at and delete
alerts that have already been viewed and and archive database. I have tried
setting up ACID to archive but sometimes it will and sometimes it won't, I keep
getting duplicate alerts ignored errors. This is so frequent the archive feature
in ACID is practically unusable. Can you log to two databases at once from the
same box without running multiple instances of snort? Is there any program out
there that will archive better than ACID?


I noticed that someone else already answered your multiple-db question, so I'll take 
the 'duplicate alert' bit.  Are you running more than one instance of snort on a single
interface?  If so, be sure and set the sensor_name argument on the database output
plugin.  Otherwise, if by chance these multiple instances of snort detect the same attack
on the same interface, the alerts getting logged will be duplicates.  If this is the case,
you'll need to set unique sensor_names.  For instance, I run my portscan2 sensor as a 
different process without any rules.  If a particular packet trips a certain preprocessor
on multiple instances of snort, the thing that makes the alerts unique is the sensor_name.

hth,

-jon


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple databases with snort Counselman, Chris Contractor/Sverdrup (Mar 13)
- Re: Multiple databases with snort Jon (Mar 13)
- <Possible follow-ups>
- RE: Multiple databases with snort Hutchinson, Andrew (Mar 13)