Snort mailing list archives
Sensor Agent at Remote machine
From: "Naveen C Joshi" <naveen_joshi () intersolutions stpn soft net>
Date: Thu, 20 May 2004 22:10:01 +0530
Hi, I have two setups for snort as below : RH-9.0, snort-2.1, snortcenter-agent-v1.0-RC1, snortcenter-v1.0-RC1, Acid-0.9.6b23, Snort Enterprise Imp. by Steven J.S. ------------------------------------------------------- setup-1. snort, snortcenter, snort-sensor-agent, acid installation. The setup-1 is working fine and I am getting all the alerts on the ACID database. My snort daemon is running as "/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort" At my SnortCenter console I have created output-plugins and sensor(11.10.44.33:2525) wchich is the eth0. This sensor ip address is available in my acid database. Again I add one another sensor on snortcenter console which is the ipaddress and port of setup-2 ( 11.10.99.88:2525 ) and it shows me green status for connectivity, but not available in ACID database. And even I am not getting any of the alert of this setup-2 in my ACID database. --------My concern was to manage setup-2 sensor agent from the setup-1 snortcenter- ----- --------- ------- ---- ----- setup-2. Here is my setup-2 installation details I have installed a snort + Sensor agent on the setup-2 (11.10.99.88). All the rules are being updated on that machine by snort itself. The sonrt.conf on that machine has been configured as per the requirement only the database part not configured it is comment out, am i wrong or right? The daemon is running with command /usr/sbin/snort -A unsock -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort where the ALERTMODE=unsock the Sensor agent installation is as below : as miniserv.conf port=2525 bind= 11.10.99.88 root=/var/www/html/sensor/cgi host=11.10.99.88 addtype_cgi=internal/cgi realm=SnortCenter Sensor logfile=/var/www/html/sensor/log/miniserv.log pidfile=/var/www/html/sensor/log/miniserv.pid errorlog=/var/www/html/sensor/log/miniserv.error logtime=168 ssl=0 env_SENSOR_CONFIG=/var/www/html/sensor/conf env_SENSOR_VAR=/var/www/html/sensor/log atboot=1 logout=/var/www/html/sensor/conf/logout-flag denyfile=\.pl$ log=1 blockhost_failures=5 blockhost_time=60 passdelay=1 syslog=1 allow=11.10.44.33 session=0 userfile=/var/www/html/sensor/conf/sensor.users keyfile=/var/www/html/sensor/conf/sensor.pem ############################################################################ #### THIS IS THE OUTPUT FROM MY SOCKET, IT MEANS THE SOCKET CONNECTION IS ALSO NOT ESTABLISHED. [root@11.10.99.88/root]# netstat -na | grep -w 2525 tcp 0 0 11.10.99.88:2525 0.0.0.0:* LISTEN tcp 0 0 11.10.99.88:2525 11.10.44.33:54175 TIME_WAIT tcp 0 0 11.10.99.88:2525 11.10.44.33:54169 TIME_WAIT ######################################################################### Please let me know what I am missing in this configuration. Is this not the correct method for remote sensor agent configuration? Please help me in this topic I am working on this from last two weeks but no success. Thanks in advance. best regards Naveen ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensor Agent at Remote machine Naveen C Joshi (May 20)
- RE: Sensor Agent at Remote machine Naveen C Joshi (May 24)