Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort, Mudpit, Unified logs and me...

From: Bamm Visscher <bamm () satx rr com>
Date: Fri, 2 Jan 2004 10:30:29 -0600
Russell,

You can only write to a filesystem using the unified format. So, if you want to read these files on another machine in 
near realtime, you would need to use something like NFS (not a good idea IMHO). You could also restart snort every hour 
or so and then copy the 'old' files over to the log processing machine and read them in batch mode. I doubt this is 
what you are looking for though. My recommendation would be to run barnyard on the sensor and write to what ever output 
mechanism you want from that. An example setup might have snort logging to unified log with barnyard reading the 
unified log on the sensor and outputting to a remote mysql DB on the 'log processing' machine.

If you need help with barnyard, try the barnyard-users list or /join #snort on irc.freenode.net.

Bammkkkk

On Fri, Jan 02, 2004 at 04:07:37PM +0000, Russell Packer wrote:

Hi all,

I'm trying to set up what I think is "a normal" system pair:

System 1: The Snort machine (Devil)
System 2: The log processing / alerting machine (Slackware 9.x)

Having done lots and lots of reading, it seems that the unified (binary) output is "best" (as non-unified seems to 
lead to problems).

[As a side note, I did look at FLoP but patching snort is not an option due to the fact that I'm using a pre-built 
live-CD for system 1]

Now, it seems that I have two options on system 2 - either Barnyard or Mudpit. Seeing as I can't get Barnyard to 
configure (tried MySQL 3.23, 4.017, my_connect, mysql_real_connect and all those other "fixes" to no avail), I'm 
forced to use Mudpit.

As I'm sure anyone else using mudpit is aware, there isn't a whole lot of documentation ;)

I'm currently getting my head round the Mudpit configuration, more specifically the Spool section. The section starts 
like this:

# Spool configurarion. One or more spools should be configured.
# Spool definition contains the absolute path to a spool directory
# (that is, the directory containing Snort's log/alert file pair)
# and parameters for the spool processor.

Seems fair enough. In the Snort confiuration file, there is this information:

# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

Hm. This raises 2 questions:

1.) How does one specifiy that these two files should actually be sent on a remote machine? In the MySQL example, it 
is obvious that you can specify a host, but mudput requires the files :/

2.) As these log files need to reside on a remote system, how would the limit work?


I may, of course, also be going along the wrong track, so any pointers much appreciated!



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: