Snort mailing list archives
RE: snort-mysql, logging on TWO sql servers
From: "Michael Steele" <michaels () winsnort com>
Date: Sat, 29 Nov 2003 13:41:02 -0800
It greatly depends on your connection and the amount of traffic. Cheers... -The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: Ryan Finnesey [mailto:ryan.finnesey () corpdsg com] Sent: Saturday, November 29, 2003 12:59 PM To: Michael Steele; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-mysql, logging on TWO sql servers What type of bandwidth would you need on the VPN link? Ryan -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Steele Sent: Saturday, November 29, 2003 3:24 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-mysql, logging on TWO sql servers It should be as simple as taking the existing output database line and duplicating it on the sensor that you want re-directed. You may need to set the parameters of that line to reflect the necessary paths and names, including adding sensor_name so you will know which sensor the alert originated from. This means that the newly added sensor will also need a clear shot to the database. Cheers... -The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Michel Christophe Sent: Saturday, November 29, 2003 9:48 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort-mysql, logging on TWO sql servers Hello I run snort on two separated networks linked over VPN. Snortloggingto both sql servers taken separately work fine, so does the VPN. For security reasons, I would like to mirror the logging of one snort sensor to both sql servers.. versions are as follow: [cm@msi cm]$ rpm -qa | grep snort snort-mysql-2.0.1-3mdk snort-2.0.1-3mdk [cm@msi cm]$ rpm -qa | grep SQL MySQL-common-4.0.15-1mdk MySQL-client-4.0.15-1mdk MySQL-4.0.15-1mdk On the first machine I (let us call it MACHINE-A have the following snort database logging config: output database: log, mysql, user=XXXXX password=YYYYY dbname=snort host=localhost encoding=hex detail=full (this machine hosts both snort AND mysql server) And I would like this machine to sql-log ALSO on the second sql server (let us call it -MACHINE-B (MACHINE-B is located over the VPN, but I think vpn in itself is not a problem ) Before I run in big headaches, I would like to ask this list first if such a dual logging is possible ?? Then, if this is possible (which I hope), could you enlighten me how should I fiddle with snort's config file: Should I add a second snort-database logging config line such as follows: output database: log, mysql, user=XXXXX password=YYYYY dbname=snort host=MACHINE-B encoding=hex detail=full or sum'thin' like this : output database: log, mysql, user=XXXXX password=YYYYY dbname=snort host=localhost, MACHINE-B encoding=hex detail=full Thanks for light -- Michel Christophe <tofm2 () yahoo fr>------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-mysql, logging on TWO sql servers Michel Christophe (Nov 29)
- Re: snort-mysql, logging on TWO sql servers Dirk Geschke (Nov 29)
- RE: snort-mysql, logging on TWO sql servers Michael Steele (Nov 29)
- <Possible follow-ups>
- RE: snort-mysql, logging on TWO sql servers Michael Steele (Nov 29)