Re: remote snort sensor

[Xavier Cabrera <xavierc () devilcrack org>]

Compile your snort whit MySQL support just like before. Even if your 
remote machine does not run the database....

Later you can send this alerts to the correct database configuring in 
the snort.conf or with barnyard...

in the snort.conf
output database: log, mysql, user=snort  password=test dbname=snort  
host=172.15.2.1 sensor_name=snort1_remote (where 172.15.2.1 its the 
mysql server)

or with barnyard + ACID

# acid_db
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data into
# the db schema used by ACID
# Arguments:
#      $db_flavor           - what flavor of database (ie, mysql)
#      sensor_id $sensor_id - integer sensor id to insert data as
#      database $database   - name of the database
#      server $server       - server the database is located on
#      user $user           - username to connect to the database as
#      password $password   - password for database authentication
output alert_acid_db: mysql, sensor_id snort1remote.mycompany.net, 
database snort, server ids.mycompany.net, user snort, password yourpassword
output log_acid_db: mysql, database snort, server ids.mycompany.net, 
user snort, password yourpassword, detail full

where 'server ids.mycompany.net' its the name resolution for your mysql 
server

I hope this can help you

Regards

Xavier C.




Raynaud, Francois wrote:

> Hi All,
>  
> My existing architecture is as follows :
>     - Mysql database
>     - Apache with PHP to run BASE
>     - one snort sensor
>  
> This is all working perfectly no problem.
>  
> Following this installation I started building a remote snort sensor 
> with mysql support.
> I have installed the shared compatible librairies for Mysql and built 
> snort with the --with-mysql switch.
>  
> The problem occurs when I try to start snort with the following 
> commadn : snort -c /etc/snort/snort-2.3.3/etc/snort.conf -l /var/log/snort
>  
> The system comes back with this error : database : 'mysql' support is 
> not compiled into this build of snort.
>  
> Anybody could give me some pointers on where to look ?
>  
> Cheers,
>  
> *Francois Raynaud*
>  
> Senior Network Security specialist
> International Security Group
> Sametime: francois.raynaud
> Vnet: 419 6041
>  




-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users