Snort mailing list archives
RE: Snort and ACID (multiple sensors)
From: "Keith Ramsey" <keith () team inter net>
Date: Thu, 21 Mar 2002 14:16:30 -0500
Set up a secure tunnel via SSH forwarding: ssh -2 -N -f -L 3306:www.xxx.yyy.zzz:3306 snort () www xxx yyy zzz <mailto:snort () www xxx yyy zzz> where www.xxx.yyy.zzz is the IP of the box with the MySQL snort database (also must have a ssh daemon running) then you have to change your snort.conf output line to something like: output database: alert, mysql, dbname=snort user=snort host=127.0.0.1 port=3306 password=password sensor_name=snort1 detail=full encoding=hex Keith Ramsey Sr Network Security Engineer Inter.net Global Ltd. (703)-456-3936 --- Out the NIC, down the cat5, thru the switch, across the router, over the T1... Nothing but net! -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Luo, Feng (Exchange) Sent: Thursday, March 21, 2002 1:56 PM To: 'Michael Steele'; snort-users () lists sourceforge net Cc: 'Rohit Raju' Subject: RE: [Snort-users] Snort and ACID (multiple sensors) What kind of the secure path for the remote sensor to connect to the MySQL database you mentioned here, please specify. -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Thursday, March 21, 2002 11:11 AM To: snort-users () lists sourceforge net Cc: 'Rohit Raju' Subject: RE: [Snort-users] Snort and ACID (multiple sensors) Rohit, You will need to have snort log to one centralized database, then use Acid to read from that one database. Change the output database line in snort.conf to reflect the location of your ONE database and change the user name. Then add that user to MySQL with the approperate permissions. Make sure you have a secure path for the remote sensor to connect to the MySQL database. - Michael -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rohit Raju Sent: Thursday, March 21, 2002 6:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and ACID (multiple sensors) Hi, I have Snort running at the entry points into my Co.'s two geographically separated intranets...both logging into their respective MySQL databases. I use ACID to monitor the alerts. My question is, can i monitor both those sensors using a single ACID interface? ...in other words, how do i add another sensor to my ACID console? Regards, Rohit Raju, CISSP. Network Security Engineer, Peak XV Networks, Inc.
Current thread:
- Snort and ACID (multiple sensors) Rohit Raju (Mar 21)
- RE: Snort and ACID (multiple sensors) Michael Steele (Mar 21)
- <Possible follow-ups>
- RE: Snort and ACID (multiple sensors) Luo, Feng (Exchange) (Mar 21)
- RE: Snort and ACID (multiple sensors) Keith Ramsey (Mar 21)
- Re: Snort and ACID (multiple sensors) Leigh David Heyman (Mar 21)
- RE: Snort and ACID (multiple sensors) Keith Ramsey (Mar 21)