[Snort-users] RE: Snort

Fallon, Benjamin bfallon at ...4839...
Mon Jul 1 05:52:16 EDT 2002


I've had it working on MS 2k, w/IIS, ACID & MS-SQL.  The ACID queries need
work and you definately need a pretty high end machine for the queries or
you really need to keep up on cleaning up the database frequently.  Other
then that, everything works pretty well.  Still trying to get it to not
loose so many packets.  Averages about 6% data loss over 100MEg pipe.

Ben

-----Original Message-----
From: Michael Steele [mailto:michaels at ...155...]
Sent: Saturday, June 22, 2002 12:40 AM
To: 'Don'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] RE: Snort


Don,

The only thing I don't like about MS-SQL is that you have to buy it,
whereas MySQL is free. This would be the best way to go, or Oracle would
even be better. 

Michael Steele | System Engineer / System Administrator     
mailto:michaels at ...155...
http://www.silicondefense.com


-----Original Message-----
From: Don [mailto:Don at ...5881...] 
Sent: June 21, 2002 10:56 AM
To: Michael Steele; 'Ross Draper'
Subject: RE: [Snort-users] RE: Snort

Ross, i'd like to try to do the same as you are doing, could you
enlighten
me on how you went about getting everything to MS-SQL, i'm taking my
snort
logging one step at a time right now, getting all the glitches out
between
steps until i get a good flow, my goal is to have everything on ms-sql,
currently i am just remote syslogging, and the syslog forwards to sql. i
guess my question is, how do you like the setup you have/had, how did
you
like the Snort/mySQL/Acid/Apache system as you had it, and what are you
hoping to accomplish by moving to ms-sql/iis. Do you have some ideas of
using asp pages to get reports? I guess i'll have to setup a
Snort/mySQL/Acid/Apache system to see what that takes, altho i have no
experience with apache, then i'll try to port over to ms-sql myself. I'm
just kind of soliciting feedback on your experience i guess at this
point.
sorry to ramble on, just interested in what you are doing here.

Don


> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Michael
> >Steele
> >Sent: Friday, June 21, 2002 10:03 AM
> >To: 'Ross Draper'
> >Cc: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] RE: Snort
> >
> >
> >Ross,
> >
> >Be sure to set the correct port option in your output database line
for
> >your MSSQL database. I believe the default is 3306 which is where
MySQL
> >sits, and there is one in your Acid configuration too.
> >
> >I'm really running short on time and won't be back in until next
> >Wednesday. Would lover to hear from you on this because I have never
set
> >this configuration up. Our programmer is the one who developed
support
> >in Acid for MSSQL, and has set it up, but I haven't had time to sit
down
> >with him and do it from scratch and write the docs.
> >
> >-Michael
> >--
> > Michael Steele | System Engineer / Support Technician
> > mailto:michaels at ...155...
> > Silicon Defense: IDS solutions - http://www.silicondefense.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> >-----Original Message-----
> >From: Ross Draper [mailto:ross.draper at ...6156...]
> >Sent: Friday, June 21, 2002 8:43 AM
> >To: michaels at ...155...
> >Subject: Snort
> >
> >
> >
> >Hi Michael
> >
> >Sorry to bother you - I appreciate you must be up to your neck in
people
> >pestering you for help
> >
> >I recently deployed Snort/mySQL/Acid/Apache on a windows 2k box,
using
> >your
> >documentation (worked perfectly - many thanks!).
> >
> >Due to the stresses placed on it I have now tried to move the
database
> >and web
> >server functionality to a seperate windows2000 box running MSSQL and
> >IIS.  I
> >have created the Table structure in Snort and went through your
> >intructions on
> >running acid with mysql and IIS because I could not find any docs on
> >deploying
> >snort with mssql remote logging(and a little bit of ini file fiddling
to
> >get php
> >to talk to mssql).  Things seem to be almost complete except for one
> >small but
> >vitally important problem - the damn thing wont log in!
> >
> >Acid pops up the following message when trying to view reports:
> >
> >Warning: MS SQL message: Login failed for user 'snort'. (severity 14)
in
> >c:\snort\adodb\adodb-mssql.inc.php on line 145
> >Warning: MS SQL: Unable to connect to server: localhost in
> >c:\snort\adodb\adodb-mssql.inc.php on line 145
> >Error (p)connecting to DB : snort at ...274...
> >Check the DB connection variables in acid_conf.php
> >               = $alert_dbname   : MySQL database name where the
alerts
> >are
> >stored
> >               = $alert_host     : host where the database is stored
> >               = $alert_port     : port where the database is stored
> >               = $alert_user     : username into the database
> >               = $alert_password : password for the username
> >Database ERROR:Login failed for user 'snort'.
> >
> >I've reset the passwords, wondered if snort was trying to login with
the
> >user
> >name of "snort at ...274..." so created this login as well as simply
> >"snort".
> >Double checked
> >the ini file and have come to the conclusion that I am simply stupid.
> >
> >Any ideas?
> >
> >Kind Regards
> >
> >Ross
> >
> >
> >
> >
>
>***********************************************************************
*
> >*
> >GWR on the Web
> >
> >http://www.koko.com		http://www.classicfm.com
> >
> >http://www.corefreshhits.com
> >http://www.planetrock.com
> >
> >http://www.opusonline.co.uk                 http://www.gwrgroup.com
> >
> >CONFIDENTIALITY NOTICE
> >
> >The information in this e-mail and any attachments to it is
confidential
> >and may be legally privileged or prohibited from disclosure and
> >unauthorised use. If you are not the intended recipient, any  use,
> >copying,
> >disclosure, modification, distribution and/or publication of this
> >message or its attachments (if any) is prohibited and may be
unlawful.
> >
> >We will not accept liability for any claims arising as a result
> >of the use of the internet to transmit information by or to GWR Group
> >plc.
>
>***********************************************************************
*
> >*
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >Sponsored by:
> >ThinkGeek at http://www.ThinkGeek.com/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >






-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list