Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple sensors one database

From: beenph <beenph () gmail com>
Date: Tue, 12 Apr 2011 21:33:55 -0400
On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:

Good afternoon,

We are running two snort devices and attempting to get them both to record
to one mysql database.

Created database snort.  Assigned permissions to sensor1@10.10.10.10 and
sensor2@10.10.10.11.  I installed Snort 2.9.0.5 schema so that databases
would all look the same. Yes, I did have a single mysql database on each
sensor but was told in that in order to run a particular Application, I
would need a single database.

We are using Snort 2.9.0.5 on Ubuntu 10.04.01 LTS.  We are using Barnyard2.
In the Barnyard2.conf file, we have an entry, “output database: log, mysql,
user=snort password=snortpass dbname=snort host=10.10.12.1
sensor_name='sensor1’  and have an identical entry for the second sensor.

I have not made any configuration changes the my.cnf.  It currently binds to
127.0.0.1 but should I have it bind to the Master

# Instead of skip-networking the default is now to listen only on

# localhost which is more compatible and is not less secure.

bind-address            = 10.10.12.1

Is there anywhere else I need to check?  Do I need to shutdown mysql on each
sensor now?

Thank you

Dwane



I am not sure i clearly understand your statement, but on your second
sensor you should
have sensor_name='sensor2', since if i remember well the "acid" schema
will use that to identify
last_cid and you could run into sync trouble if you run two sensor who
use the same event counter.

On the other hand as i stated i am not sure i undersand completly your
ultimate goal beside probably
using a database on a separate system, if thats so then you should
update both barnyard config to
point to your new database and from there restart barnyard and it
should be logging to the "centralized" database.

-elz

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: