[Snort-users] Remote sensor startup issue.

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Feb 16 02:19:31 EST 2005


--On 15 February 2005 08:12 -0500 mdpeters 
<michael.peters at ...10939...> wrote:

> Are you suggesting that a remote Snort sensor can not send alerts to a
> central Snort MySQL system?

It can, but as it's not multithreaded, if the database slows down, snort 
will start dropping (i.e. ignoring, rather than blocking) traffic.

> It seems to me that all I need to do is resolve the startup malfunction.
> It logs just fine when I manually fire
> the remote sensor up.
>
> I have no experience with Barnyard. Would I run a MySQL database on the
> sensor and use Barnyard to send alerts to the central system?

No. Snort logs to a unified log file, barnyard picks up new entries and 
sends them to the database server. The database server and barnyard can be 
on the same host, or different hosts. Barnyard and Snort must be on the 
same machine (unless you use NFS or something to share out the log 
director... ewwww...)

To return to your original problem, though, what user is attempting to 
start snort at system boot? Do they have read access to all the snort 
config files? What error messages are given? (they might be in 
/var/log/messages or similar).

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list