[Snort-users] snort-mysql, logging on TWO sql servers

Michael Steele michaels at ...9077...
Sat Nov 29 13:42:10 EST 2003


It greatly depends on your connection and the amount of traffic.

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: Ryan Finnesey [mailto:ryan.finnesey at ...8859...]
> Sent: Saturday, November 29, 2003 12:59 PM
> To: Michael Steele; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort-mysql, logging on TWO sql servers
> 
> What type of bandwidth would  you need on the VPN link?
> 
> 
> Ryan
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Michael
> Steele
> Sent: Saturday, November 29, 2003 3:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort-mysql, logging on TWO sql servers
> 
> It should be as simple as taking the existing output database line and
> duplicating it on the sensor that you want re-directed. You may need to
> set
> the parameters of that line to reflect the necessary paths and names,
> including adding sensor_name so you will know which sensor the alert
> originated from.
> 
> This means that the newly added sensor will also need a clear shot to
> the
> database.
> 
> Cheers...
> 
> -The WINSNORT.com Management Team
> --
>  Pick up your FREE Windows or UNIX Snort installation guides
>  mailto:support at ...9077...
>  Website: http://www.winsnort.com
>  Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Michel Christophe
> > Sent: Saturday, November 29, 2003 9:48 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] snort-mysql, logging on TWO sql servers
> >
> > Hello
> >
> > 	I run snort on two separated networks linked over VPN. Snort
> logging
> > to
> > both sql servers taken separately work fine, so does the VPN.
> >
> > 	For security reasons, I would like to mirror the logging of one
> > snort
> > sensor to both sql servers..
> >
> > versions are as follow:
> >
> > [cm at ...10652... cm]$ rpm -qa | grep snort
> > snort-mysql-2.0.1-3mdk
> > snort-2.0.1-3mdk
> >
> > [cm at ...10652... cm]$ rpm -qa | grep SQL
> > MySQL-common-4.0.15-1mdk
> > MySQL-client-4.0.15-1mdk
> > MySQL-4.0.15-1mdk
> >
> > On the first machine I (let us call it MACHINE-A have the following
> > snort database logging  config:
> >
> > output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> > host=localhost encoding=hex detail=full
> >
> > (this machine hosts both snort AND mysql server)
> >
> > And I would like this machine to sql-log ALSO on the second sql server
> > (let us call it -MACHINE-B (MACHINE-B is located over the VPN, but I
> > think vpn in itself is not a problem )
> >
> > Before I run in big headaches, I would like to ask this list first if
> > such a dual logging is possible ??
> >
> > Then, if this is possible (which I hope), could you enlighten me how
> > should I fiddle with snort's config file:
> >
> > Should I add a second snort-database logging config line such as
> > follows:
> >
> > output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> > host=MACHINE-B encoding=hex detail=full
> >
> > or sum'thin' like this :
> >
> > output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> > host=localhost, MACHINE-B encoding=hex detail=full
> >
> > Thanks for light
> >
> > --
> > Michel Christophe <tofm2 at ...1855...>
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list