Snort mailing list archives

RE: Snort and ACID (multiple sensors)

From: "Keith Ramsey" <keith () team inter net>
Date: Thu, 21 Mar 2002 14:16:30 -0500

Set up a secure tunnel via SSH forwarding:
 
ssh -2 -N -f -L 3306:www.xxx.yyy.zzz:3306 snort () www xxx yyy zzz
<mailto:snort () www xxx yyy zzz>   where www.xxx.yyy.zzz is the IP of the
box with the MySQL snort database (also must have a ssh daemon running)
 
then you have to change your snort.conf output line to something like: 
 
output database: alert, mysql, dbname=snort user=snort host=127.0.0.1
port=3306 password=password sensor_name=snort1 detail=full encoding=hex
 
Keith Ramsey 
Sr Network Security Engineer 
Inter.net Global Ltd. 
(703)-456-3936

---

Out the NIC, down the cat5, thru the switch, across the router, over the
T1... Nothing but net!


 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Luo, Feng
(Exchange)
Sent: Thursday, March 21, 2002 1:56 PM
To: 'Michael Steele'; snort-users () lists sourceforge net
Cc: 'Rohit Raju'
Subject: RE: [Snort-users] Snort and ACID (multiple sensors)


What kind of the secure path for the remote sensor to connect to the
MySQL database you mentioned here, please specify.

-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Thursday, March 21, 2002 11:11 AM
To: snort-users () lists sourceforge net
Cc: 'Rohit Raju'
Subject: RE: [Snort-users] Snort and ACID (multiple sensors)



Rohit,

 

You will need to have snort log to one centralized database, then use
Acid to read from that one database.

 

Change the output database line in snort.conf to reflect the location of
your ONE database and change the user name. Then add that user to MySQL
with the approperate permissions. Make sure you have a secure path for
the remote sensor to connect to the MySQL database.

- Michael

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rohit Raju
Sent: Thursday, March 21, 2002 6:18 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and ACID (multiple sensors)

 

Hi,

 

      I have Snort running at the entry points into my Co.'s two
geographically separated intranets...both logging into their respective
MySQL databases. I use ACID to monitor the alerts. My question is, can i
monitor both those sensors using a single ACID interface? 

      ...in other words, how do i add another sensor to my ACID console?

 

                                                   Regards,

                                                   Rohit Raju, CISSP.

                                                   Network Security
Engineer,

                                                   Peak XV Networks,
Inc.

Current thread:

Snort and ACID (multiple sensors) Rohit Raju (Mar 21)
- RE: Snort and ACID (multiple sensors) Michael Steele (Mar 21)
- <Possible follow-ups>
- RE: Snort and ACID (multiple sensors) Luo, Feng (Exchange) (Mar 21)
  - RE: Snort and ACID (multiple sensors) Keith Ramsey (Mar 21)
    - Re: Snort and ACID (multiple sensors) Leigh David Heyman (Mar 21)