Snort mailing list archives
RE: snort warnings
From: "Michael J. McCasland" <mjm () eitsystems com>
Date: Thu, 07 Aug 2003 08:33:31 -0400
Snort Warnings:I have seen this before and honestly can not recall what I did to fix it but, I will share my config and you can compare against yours.
RH 7.3 - postgres 7.2.3 (I do not use the 7.3 versions due to compatability issues with other apps and maybe snort?)
IDS box - make sure snort has version 2.x rules and not 1.X rules!I generally run 4 sensors per Snort Box I use seperate rule directories for each sensor with unique sensor IDs - set to alert. The backend postgres DB server has trust authentication for each IDS boxes private interface IP I create a user in postgres with the rights to createdb, and then use that user to create the DB run the create sql scripts
That same user is used in the snort.conf files to alert to the db.Postgresql.conf file has TCPIP turned on, plenty of connections, shared memory, etc.
Troubleshooting:Do a PS -AX on the DB server and see if you see any postmaster proccesses for your snortdb from your sensor's IPADDR If so he is getting connectivity. If not make sure you have no IPTABLE rules blocking access and the postgres_hba.conf file grants access to the sensor. Make sure the user U re using to connect with has appropriate rights (try the postgres user to T-Shoot).
I have no problems and have about 18 IDS sensors logging to 5 different postgres servers. Postgres versions 7.2.1 - 7.2.3.
Good Luck, I can share more info if needed. -mike ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort warnings, (continued)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Erek Adams (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Michael J. McCasland (Aug 07)