[Snort-users] Sensor Agent at Remote machine

Naveen C Joshi naveen_joshi at ...11009...
Thu May 20 09:41:04 EDT 2004


Hi,
I have two setups for snort as below :
RH-9.0, snort-2.1, snortcenter-agent-v1.0-RC1, snortcenter-v1.0-RC1,
Acid-0.9.6b23, Snort Enterprise Imp. by Steven J.S.
-------------------------------------------------------
setup-1.	snort, snortcenter, snort-sensor-agent, acid installation.
The setup-1 is working fine and I am getting all the alerts on the ACID
database. My snort daemon is running as
"/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort"
At my SnortCenter console I have created output-plugins and
sensor(11.10.44.33:2525) wchich is the eth0. This sensor ip address is
available in my acid database. Again I add one another sensor on snortcenter
console which is the ipaddress and port of setup-2 ( 11.10.99.88:2525 ) and
it shows me green status for connectivity, but not available in ACID
database. And even I am not getting any of the alert of this setup-2 in my
ACID database.

--------My concern was to manage setup-2 sensor agent from the setup-1
snortcenter- ----- --------- ------- ---- -----
setup-2.	Here is my setup-2 installation details
I have installed a snort + Sensor agent on the setup-2 (11.10.99.88). All
the rules are being updated on that machine by snort itself. The sonrt.conf
on that machine has been configured as per the requirement only the database
part not configured it is comment out, am i wrong or right?

The daemon is running with command

/usr/sbin/snort -A unsock -b -d -D  -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort

where the ALERTMODE=unsock

the Sensor agent installation is as below : as miniserv.conf

port=2525
bind= 11.10.99.88
root=/var/www/html/sensor/cgi
host=11.10.99.88
addtype_cgi=internal/cgi
realm=SnortCenter Sensor
logfile=/var/www/html/sensor/log/miniserv.log
pidfile=/var/www/html/sensor/log/miniserv.pid
errorlog=/var/www/html/sensor/log/miniserv.error
logtime=168
ssl=0
env_SENSOR_CONFIG=/var/www/html/sensor/conf
env_SENSOR_VAR=/var/www/html/sensor/log
atboot=1
logout=/var/www/html/sensor/conf/logout-flag
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
passdelay=1
syslog=1
allow=11.10.44.33
session=0
userfile=/var/www/html/sensor/conf/sensor.users
keyfile=/var/www/html/sensor/conf/sensor.pem
############################################################################
####
THIS IS THE OUTPUT FROM MY SOCKET, IT MEANS THE SOCKET CONNECTION IS ALSO
NOT ESTABLISHED.
[root at ...11841.../root]# netstat -na | grep -w 2525
tcp        0      0 11.10.99.88:2525      0.0.0.0:*               LISTEN
tcp        0      0 11.10.99.88:2525      11.10.44.33:54175      TIME_WAIT
tcp        0      0 11.10.99.88:2525      11.10.44.33:54169      TIME_WAIT
#########################################################################

Please let me know what I am missing in this configuration. Is this not the
correct method for remote sensor agent configuration?

Please help me in this topic I am working on this from last two weeks but no
success.

Thanks in advance.

best regards

Naveen







More information about the Snort-users mailing list