[Snort-users] centralized mysql collation

David E. Wach david at ...4877...
Tue Feb 5 11:47:13 EST 2002

Hello all,

I'm currently running snort at 3 remote sites with logging going to the local mysql daemon on each sensor.  I'm using the binary logging in mysql and transfer the logs periodically to my central log server.  I then run the binary logs through mysqlbinlog to "replay" the sql and insert the events into my main database.  This way I don't have to leave a connection up to each of the sites 24/7.  

The problem i'm running into is the way the mysql schema is set up.  Since the entries in the "signature" table are inserted on-the-fly on the remote databases, they don't match the "signature" table on my master database.  What might be "WEB-IIS _mem_bin access" on one IDS server ends up being "Traceroute UDP" on the other.  Any ideas on how to get all the signatures to correlate to each other?  I've got the same problem with the references too.

Anybody else run into this and come up with a solution?

Thanks for any insight,

David E. Wach
Senior Managed Security Architect 
david at ...4877...
InfoGroup Northwest 541.485.0957 x168

More information about the Snort-users mailing list