[Snort-users] Snort and ACID (multiple sensors)

Keith Ramsey keith at ...5358...
Thu Mar 21 11:17:17 EST 2002


Set up a secure tunnel via SSH forwarding:
 
ssh -2 -N -f -L 3306:www.xxx.yyy.zzz:3306 snort at ...5360...
<mailto:snort at ...5360...>   where www.xxx.yyy.zzz is the IP of the
box with the MySQL snort database (also must have a ssh daemon running)
 
then you have to change your snort.conf output line to something like: 
 
output database: alert, mysql, dbname=snort user=snort host=127.0.0.1
port=3306 password=password sensor_name=snort1 detail=full encoding=hex
 
Keith Ramsey 
Sr Network Security Engineer 
Inter.net Global Ltd. 
(703)-456-3936

---

Out the NIC, down the cat5, thru the switch, across the router, over the
T1... Nothing but net!


 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Luo, Feng
(Exchange)
Sent: Thursday, March 21, 2002 1:56 PM
To: 'Michael Steele'; snort-users at lists.sourceforge.net
Cc: 'Rohit Raju'
Subject: RE: [Snort-users] Snort and ACID (multiple sensors)


What kind of the secure path for the remote sensor to connect to the
MySQL database you mentioned here, please specify.

-----Original Message-----
From: Michael Steele [mailto:michaels at ...155...]
Sent: Thursday, March 21, 2002 11:11 AM
To: snort-users at lists.sourceforge.net
Cc: 'Rohit Raju'
Subject: RE: [Snort-users] Snort and ACID (multiple sensors)



Rohit,

 

You will need to have snort log to one centralized database, then use
Acid to read from that one database.

 

Change the output database line in snort.conf to reflect the location of
your ONE database and change the user name. Then add that user to MySQL
with the approperate permissions. Make sure you have a secure path for
the remote sensor to connect to the MySQL database.

- Michael

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rohit Raju
Sent: Thursday, March 21, 2002 6:18 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort and ACID (multiple sensors)

 

Hi,

 

      I have Snort running at the entry points into my Co.'s two
geographically separated intranets...both logging into their respective
MySQL databases. I use ACID to monitor the alerts. My question is, can i
monitor both those sensors using a single ACID interface? 

      ...in other words, how do i add another sensor to my ACID console?

 

                                                   Regards,

                                                   Rohit Raju, CISSP.

                                                   Network Security
Engineer,

                                                   Peak XV Networks,
Inc.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020321/57436720/attachment.html>


More information about the Snort-users mailing list