[Snort-users] Remote sensor startup issue.
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Wed Feb 16 02:19:31 EST 2005
--On 15 February 2005 08:12 -0500 mdpeters
<michael.peters at ...10939...> wrote:
> Are you suggesting that a remote Snort sensor can not send alerts to a
> central Snort MySQL system?
It can, but as it's not multithreaded, if the database slows down, snort
will start dropping (i.e. ignoring, rather than blocking) traffic.
> It seems to me that all I need to do is resolve the startup malfunction.
> It logs just fine when I manually fire
> the remote sensor up.
> I have no experience with Barnyard. Would I run a MySQL database on the
> sensor and use Barnyard to send alerts to the central system?
No. Snort logs to a unified log file, barnyard picks up new entries and
sends them to the database server. The database server and barnyard can be
on the same host, or different hosts. Barnyard and Snort must be on the
same machine (unless you use NFS or something to share out the log
To return to your original problem, though, what user is attempting to
start snort at system boot? Do they have read access to all the snort
config files? What error messages are given? (they might be in
/var/log/messages or similar).
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users