Snort mailing list archives
Re: Multiple sensors one database
From: "Atkins, Dwane P" <ATKINSD () uthscsa edu>
Date: Wed, 13 Apr 2011 15:27:32 +0000
I know have the sensor sending information to a centralized database. My issue was that we had added permissions to snort-sensor1@10.10.10.11 instead of 'snort'@'snort-sensor1.v60.mydomain.com'. I do have issues with my sensor2, but I believe that is a configuration issue. TO complete this: I execute mysql -u root -p <enter> and the root password on the server which host the centralize database. Type in use snort; and then I typed in GRANT ALL ON snort.* TO 'snort'@'snort-sensor1.v60.mydomain.com';. I typed in the same command for the sensor2. As soon as this happened, you could see the traffic passing. Thanks to all for your help. I hope this will help someone later down the line. I have defined my centralized database in the barnyard2.conf file. Dwane -----Original Message----- From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu] Sent: Tuesday, April 12, 2011 9:15 PM To: beenph Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Multiple sensors one database Yes. I think you are right on track with my desires. These two sensors need to send their alerts to a centralized mysql server on another device. I really believe we are experiencing a permissions issue. We can ping each device so the connectivity via ICMP is there. Each database, which I am not sure I need on the sensors, are called snort with identical setups with the exception of sensor_names and ip addresses. I am at a loss and any help or thoughts would be appreciated. Thank you --- From my iPhone. Dwane On Apr 12, 2011, at 8:33 PM, "beenph" <beenph () gmail com> wrote:
On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:Good afternoon, We are running two snort devices and attempting to get them both to record to one mysql database. Created database snort. Assigned permissions to sensor1@10.10.10.10 and sensor2@10.10.10.11. I installed Snort 2.9.0.5 schema so that databases would all look the same. Yes, I did have a single mysql database on each sensor but was told in that in order to run a particular Application, I would need a single database. We are using Snort 2.9.0.5 on Ubuntu 10.04.01 LTS. We are using Barnyard2. In the Barnyard2.conf file, we have an entry, "output database: log, mysql, user=snort password=snortpass dbname=snort host=10.10.12.1 sensor_name='sensor1' and have an identical entry for the second sensor. I have not made any configuration changes the my.cnf. It currently binds to 127.0.0.1 but should I have it bind to the Master # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 10.10.12.1 Is there anywhere else I need to check? Do I need to shutdown mysql on each sensor now? Thank you DwaneI am not sure i clearly understand your statement, but on your second sensor you should have sensor_name='sensor2', since if i remember well the "acid" schema will use that to identify last_cid and you could run into sync trouble if you run two sensor who use the same event counter. On the other hand as i stated i am not sure i undersand completly your ultimate goal beside probably using a database on a separate system, if thats so then you should update both barnyard config to point to your new database and from there restart barnyard and it should be logging to the "centralized" database. -elz
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database beenph (Apr 12)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 13)
- Re: Multiple sensors one database beenph (Apr 13)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database beenph (Apr 12)