[Snort-users] Multiple sensors one database

Atkins, Dwane P ATKINSD at ...9240...
Wed Apr 13 11:27:32 EDT 2011


I know have the sensor sending information to a centralized database.  My issue was that we had added permissions to snort-sensor1 at ...15241... instead of 'snort'@'snort-sensor1.v60.mydomain.com'.  I do have issues with my sensor2, but I believe that is a configuration issue. 

TO complete this:

I execute mysql -u root -p <enter> and the root password on the server which host the centralize database. Type in use snort; and then I typed in GRANT ALL ON snort.* TO 'snort'@'snort-sensor1.v60.mydomain.com';.  I typed in the same command for the sensor2.  As soon as this happened, you could see the traffic passing. 

Thanks to all for your help.  I hope this will help someone later down the line.

I have defined my centralized database in the barnyard2.conf file.  



Dwane

-----Original Message-----
From: Atkins, Dwane P [mailto:ATKINSD at ...9240...] 
Sent: Tuesday, April 12, 2011 9:15 PM
To: beenph
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Multiple sensors one database

Yes.

I think you are right on track with my desires.  These two sensors need to send their alerts to a centralized mysql server on another device.  

I really believe we are experiencing a permissions issue.  We can ping each device so the connectivity via ICMP is there.  

Each database, which I am not sure I need on the sensors, are called snort with identical setups with the exception of sensor_names and ip addresses.

I am at a loss and any help or thoughts would be appreciated.

Thank you
--- From my iPhone.  Dwane

On Apr 12, 2011, at 8:33 PM, "beenph" <beenph at ...11827...> wrote:

> On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
>> Good afternoon,
>> 
>> We are running two snort devices and attempting to get them both to record
>> to one mysql database.
>> 
>> Created database snort.  Assigned permissions to sensor1 at ...15240... and
>> sensor2 at ...15242...  I installed Snort 2.9.0.5 schema so that databases
>> would all look the same. Yes, I did have a single mysql database on each
>> sensor but was told in that in order to run a particular Application, I
>> would need a single database.
>> 
>> We are using Snort 2.9.0.5 on Ubuntu 10.04.01 LTS.  We are using Barnyard2.
>> In the Barnyard2.conf file, we have an entry, "output database: log, mysql,
>> user=snort password=snortpass dbname=snort host=10.10.12.1
>> sensor_name='sensor1'  and have an identical entry for the second sensor.
>> 
>> I have not made any configuration changes the my.cnf.  It currently binds to
>> 127.0.0.1 but should I have it bind to the Master
>> 
>> # Instead of skip-networking the default is now to listen only on
>> 
>> # localhost which is more compatible and is not less secure.
>> 
>> bind-address            = 10.10.12.1
>> 
>> Is there anywhere else I need to check?  Do I need to shutdown mysql on each
>> sensor now?
>> 
>> Thank you
>> 
>> Dwane
>> 
> 
> I am not sure i clearly understand your statement, but on your second
> sensor you should
> have sensor_name='sensor2', since if i remember well the "acid" schema
> will use that to identify
> last_cid and you could run into sync trouble if you run two sensor who
> use the same event counter.
> 
> On the other hand as i stated i am not sure i undersand completly your
> ultimate goal beside probably
> using a database on a separate system, if thats so then you should
> update both barnyard config to
> point to your new database and from there restart barnyard and it
> should be logging to the "centralized" database.
> 
> -elz

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list