[Snort-users] Any HOWTO for merging separate snort IDS's into central DB?

Benjamin Hippler benjamin.hippler at ...7708...
Sat Dec 21 00:11:04 EST 2002


hi,
i have currently 3 sensors (will become more) for 4 C nets logging into one
central MySQL DB and works fine. Why do you still want to write the
logs/entries locally? if you give all your boxes the same mysql hostname to
write the logs you dont have to merge all your stuff afterwards.

or maybe i got you wrong on what you want.

http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...294...]
> Sent: Tuesday, December 17, 2002 6:55 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Any HOWTO for merging separate snort IDS's into
> central DB?
> 
> 
> For network protection we're running snort on separate boxes 
> with local
> MySQL databases. However, once a month (say) I'd like to pull 
> those SQL logs
> together into a "meta-DB" so that we can look at the IDS 
> network as a whole.
> 
> Obviously snort on these standalone systems are re-using the 
> same id numbers
> for different things, so I was wondering if anyone had 
> written a script that
> could allow such separate databases to be pulled together as 
> a consistent
> offering. All our snort systems run the same release and same 
> schema, so
> there data is internally consistent.
> 
> Thanks
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility 
> Learn to use your power at OSDN's High Performance Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list