[Snort-users] Snort, Barnyard, Mysql
owensr at ...5068...
Sat Oct 15 15:21:03 EDT 2005
I have several questions relating to the use of Snort, Barnyard and Mysql that hopefully someone can shed some light on.
First , I have heard that if Barnyard is run on the same platform that the Snort sensor resides on, there is no performance enhancement because the same box is doing both the sensing and the unified file output parsing. Is this true? If so, what methods are employed to get the unified files to another box?
When I imported the snort schema inside the create_mysql file into Mysql v. 5.0.12 it choked on the table 'schema'. When I altered the table name before input to 'scheme' the snort database was created successfully and the database seemed usable, but I assume something will be unhappy at some point with the changed table name. Anyone run into this before?
One item in the project I am working on is providing access to sysadms of various subnets access to the Snort alerts pertaining to their subnets while not allowing them to see event information that pertains to subnets they do not control. These sysadms are using snort database access agents which are assuming to be provided a database name of form 'database.*' over which they will have SELECT access to all table to do various types of queries. Has anyone done anything similar and can give me general guidance on how to accomplish this? I assume that a 'view' would need to be created and a 'grant' to individual users which only give access based on the source an destination IP's falling into their domain. Having a little trouble figuring out if these is feasible scheme and what general syntax would look like.
Thanks for any help that can be provided.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users