RE: remote snort sensor

["Raynaud, Francois" <francois.raynaud () uk mci com>]

Thanks a lot.
If only I didn't follow the manual....

It appears that when compiling Snort without mysql support first, you need
to issue the 'make clean' command before trying to re-compile any other
version of Snort, i.e: --with-mysql, --with-flexresp,...
Yes (to all Unix sysadmins), this is normal in an Unix system, just don't
forget to think about it ;) 

Hope that helps...

francois
-----Original Message-----
From: Xavier Cabrera [mailto:xavierc () devilcrack org] 
Sent: 04 May 2005 21:11
To: Raynaud, Francois
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] remote snort sensor


Compile your snort whit MySQL support just like before. Even if your 
remote machine does not run the database....

Later you can send this alerts to the correct database configuring in 
the snort.conf or with barnyard...

in the snort.conf
output database: log, mysql, user=snort  password=test dbname=snort  
host=172.15.2.1 sensor_name=snort1_remote (where 172.15.2.1 its the 
mysql server)

or with barnyard + ACID

# acid_db
#-------------------------------
# Available as both a log and alert output plugin.  Used to output data into
# the db schema used by ACID # Arguments:
#      $db_flavor           - what flavor of database (ie, mysql)
#      sensor_id $sensor_id - integer sensor id to insert data as
#      database $database   - name of the database
#      server $server       - server the database is located on
#      user $user           - username to connect to the database as
#      password $password   - password for database authentication
output alert_acid_db: mysql, sensor_id snort1remote.mycompany.net, 
database snort, server ids.mycompany.net, user snort, password yourpassword
output log_acid_db: mysql, database snort, server ids.mycompany.net, 
user snort, password yourpassword, detail full

where 'server ids.mycompany.net' its the name resolution for your mysql 
server

I hope this can help you

Regards

Xavier C.




Raynaud, Francois wrote:

> Hi All,
>  
> My existing architecture is as follows :
>     - Mysql database
>     - Apache with PHP to run BASE
>     - one snort sensor
>  
> This is all working perfectly no problem.
>  
> Following this installation I started building a remote snort sensor
> with mysql support.
> I have installed the shared compatible librairies for Mysql and built 
> snort with the --with-mysql switch.
>  
> The problem occurs when I try to start snort with the following
> commadn : snort -c /etc/snort/snort-2.3.3/etc/snort.conf -l /var/log/snort
>  
> The system comes back with this error : database : 'mysql' support is
> not compiled into this build of snort.
>  
> Anybody could give me some pointers on where to look ?
>  
> Cheers,
>  
> *Francois Raynaud*
>  
> Senior Network Security specialist
> International Security Group
> Sametime: francois.raynaud
> Vnet: 419 6041
>