[Snort-users] Newbie Question

Wilcoxen, Scott SWilcoxen at ...9020...
Sun Apr 27 20:48:01 EDT 2003


Well, we used old machines we had lying around to set this up, so disk
space is limited on both sensors as well as the machine hosting the
database.  I dind't want to log all traffic to the database for that
reason.  So, I've managed to use the snortd scripts which are hidden
quite nicely in the snortsource/contrib directory to start and stop
snort.  So, I'm logging all traffic in tcpdump binaries on the local
hard drive of the sensors themselves and alerts go to the database.  I
have daily cron jobs stopping snort, moving the log files off of the
sensors to a share on one of my Windows servers, and then starting snort
back up again!  It's working quite nicely now!!  The problem I'm having
now is with Acid.  It seems when I query the database from within Acid,
example all alerts from a particular source ip, and I go to page 2 it
loses the criteria specified in the query and just starts giving me all
the alerts that have been logged.  Probably mention that later in a
separate post if I can't figure something out.  


Scott S Wilcoxen
Macfadden & Associates, Inc.
Email: Swilcoxen at macf dot com 
www.macf.com
 

-----Original Message-----
From: Bruno Benchimol a.k.a. Misty MSt [mailto:mistymst at ...8178...] 
Sent: Sunday, April 27, 2003 11:23 AM
To: Wilcoxen, Scott

Make snort log directly to a databse :) with output alert: log database
....
:)
(btw if you want keep the binary tcpdump format, you can run another
instance of snort to do it)
once the sensors are loggin directly to the database so ACID can see it,
you
see that you have 2 sensors there :), i havent set up anything like
that,
because of $ problems my snort box is running with all inside, mysql,
acid
... and with only 1 nic :( but thats ok :) it doing it job and got a
relativy security to it.

Well try my suggestion about loggin to a database instead to a file.


----- Original Message -----
From: Wilcoxen, Scott
To: Snort-users at lists.sourceforge.net
Sent: Friday, April 25, 2003 3:38 PM
Subject: [Snort-users] Newbie Question


I'm relatively new to both Snort and Linux, so please bear with me here.
I
have got snort setup on two separate machines.  One machine is listening
to
traffic on the outside of my firewall and the other on the inside.  On a
third machine I've got a MySQL database to which I'm logging alerts.
I've
setup an apache web server on this machine as well and am using ACID to
view
the alerts being logged.  My sensors are logging all packets in binary
tcp
dump format on the local hard drive.  I would like to setup a cron job
to
move these logs to another machine everyday so that the hard drives on
my
sensors don't fill up.  I'm starting snort in daemon mode and noticed
that
when I move the logs it doesn't seem to start another one.  So my theory
was
that if I stop snort, move the logs, and restart snort I would be ok.
Problem is I can't find a way to stop snort short of issuing a 'kill
pid'.
I want to script all of this.  Any suggestions?



Scott S Wilcoxen
Macfadden & Associates, Inc.
Office: 301.562.3046
Mobile: 410.688.2813
Fax: 301.588.0390
Email: SWilcoxen at ...9020...
www.macf.com







More information about the Snort-users mailing list