[Snort-users] snort-mysql, logging on TWO sql servers

Michael Steele michaels at ...9077...
Sat Nov 29 12:25:07 EST 2003


It should be as simple as taking the existing output database line and
duplicating it on the sensor that you want re-directed. You may need to set
the parameters of that line to reflect the necessary paths and names,
including adding sensor_name so you will know which sensor the alert
originated from.

This means that the newly added sensor will also need a clear shot to the
database.

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Michel Christophe
> Sent: Saturday, November 29, 2003 9:48 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort-mysql, logging on TWO sql servers
> 
> Hello
> 
> 	I run snort on two separated networks linked over VPN. Snort logging
> to
> both sql servers taken separately work fine, so does the VPN.
> 
> 	For security reasons, I would like to mirror the logging of one
> snort
> sensor to both sql servers..
> 
> versions are as follow:
> 
> [cm at ...10652... cm]$ rpm -qa | grep snort
> snort-mysql-2.0.1-3mdk
> snort-2.0.1-3mdk
> 
> [cm at ...10652... cm]$ rpm -qa | grep SQL
> MySQL-common-4.0.15-1mdk
> MySQL-client-4.0.15-1mdk
> MySQL-4.0.15-1mdk
> 
> On the first machine I (let us call it MACHINE-A have the following
> snort database logging  config:
> 
> output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> host=localhost encoding=hex detail=full
> 
> (this machine hosts both snort AND mysql server)
> 
> And I would like this machine to sql-log ALSO on the second sql server
> (let us call it -MACHINE-B (MACHINE-B is located over the VPN, but I
> think vpn in itself is not a problem )
> 
> Before I run in big headaches, I would like to ask this list first if
> such a dual logging is possible ??
> 
> Then, if this is possible (which I hope), could you enlighten me how
> should I fiddle with snort's config file:
> 
> Should I add a second snort-database logging config line such as
> follows:
> 
> output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> host=MACHINE-B encoding=hex detail=full
> 
> or sum'thin' like this :
> 
> output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> host=localhost, MACHINE-B encoding=hex detail=full
> 
> Thanks for light
> 
> --
> Michel Christophe <tofm2 at ...1855...>






More information about the Snort-users mailing list