centralized mysql collation

["David E. Wach" <david () ignw com>]

Hello all,

I'm currently running snort at 3 remote sites with logging going to the local mysql daemon on each sensor.  I'm using 
the binary logging in mysql and transfer the logs periodically to my central log server.  I then run the binary logs 
through mysqlbinlog to "replay" the sql and insert the events into my main database.  This way I don't have to leave a 
connection up to each of the sites 24/7.  

The problem i'm running into is the way the mysql schema is set up.  Since the entries in the "signature" table are 
inserted on-the-fly on the remote databases, they don't match the "signature" table on my master database.  What might 
be "WEB-IIS _mem_bin access" on one IDS server ends up being "Traceroute UDP" on the other.  Any ideas on how to get 
all the signatures to correlate to each other?  I've got the same problem with the references too.

Anybody else run into this and come up with a solution?

Thanks for any insight,
-david

--
===============================================
David E. Wach
Senior Managed Security Architect 
david () ignw com
InfoGroup Northwest 541.485.0957 x168
===============================================
 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users