[Snort-users] Multiple sensors one database

beenph beenph at ...11827...
Wed Apr 13 13:06:02 EDT 2011


Im glad that you figured it out but it seemd to be more a db issue
than a snort/BY2 issue and as you said this will probably leave traces
if someone has similar issue.


On Wed, Apr 13, 2011 at 11:27 AM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
> I know have the sensor sending information to a centralized database.  My issue was that we had added permissions to snort-sensor1 at ...15241... instead of 'snort'@'snort-sensor1.v60.mydomain.com'.  I do have issues with my sensor2, but I believe that is a configuration issue.
>
> TO complete this:
>
> I execute mysql -u root -p <enter> and the root password on the server which host the centralize database. Type in use snort; and then I typed in GRANT ALL ON snort.* TO 'snort'@'snort-sensor1.v60.mydomain.com';.  I typed in the same command for the sensor2.  As soon as this happened, you could see the traffic passing.
>
> Thanks to all for your help.  I hope this will help someone later down the line.
>
> I have defined my centralized database in the barnyard2.conf file.
>
>
>
> Dwane
>
> -----Original Message-----
> From: Atkins, Dwane P [mailto:ATKINSD at ...9240...]
> Sent: Tuesday, April 12, 2011 9:15 PM
> To: beenph
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Multiple sensors one database
>
> Yes.
>
> I think you are right on track with my desires.  These two sensors need to send their alerts to a centralized mysql server on another device.
>
> I really believe we are experiencing a permissions issue.  We can ping each device so the connectivity via ICMP is there.
>
> Each database, which I am not sure I need on the sensors, are called snort with identical setups with the exception of sensor_names and ip addresses.
>
> I am at a loss and any help or thoughts would be appreciated.
>
> Thank you
> --- From my iPhone.  Dwane
>
> On Apr 12, 2011, at 8:33 PM, "beenph" <beenph at ...11827...> wrote:
>
>> On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
>>> Good afternoon,
>>>
>>> We are running two snort devices and attempting to get them both to record
>>> to one mysql database.
>>>
>>> Created database snort.  Assigned permissions to sensor1 at ...15240... and
>>> sensor2 at ...15242...  I installed Snort 2.9.0.5 schema so that databases
>>> would all look the same. Yes, I did have a single mysql database on each
>>> sensor but was told in that in order to run a particular Application, I
>>> would need a single database.
>>>
>>> We are using Snort 2.9.0.5 on Ubuntu 10.04.01 LTS.  We are using Barnyard2.
>>> In the Barnyard2.conf file, we have an entry, "output database: log, mysql,
>>> user=snort password=snortpass dbname=snort host=10.10.12.1
>>> sensor_name='sensor1'  and have an identical entry for the second sensor.
>>>
>>> I have not made any configuration changes the my.cnf.  It currently binds to
>>> 127.0.0.1 but should I have it bind to the Master
>>>
>>> # Instead of skip-networking the default is now to listen only on
>>>
>>> # localhost which is more compatible and is not less secure.
>>>
>>> bind-address            = 10.10.12.1
>>>
>>> Is there anywhere else I need to check?  Do I need to shutdown mysql on each
>>> sensor now?
>>>
>>> Thank you
>>>
>>> Dwane
>>>
>>
>> I am not sure i clearly understand your statement, but on your second
>> sensor you should
>> have sensor_name='sensor2', since if i remember well the "acid" schema
>> will use that to identify
>> last_cid and you could run into sync trouble if you run two sensor who
>> use the same event counter.
>>
>> On the other hand as i stated i am not sure i undersand completly your
>> ultimate goal beside probably
>> using a database on a separate system, if thats so then you should
>> update both barnyard config to
>> point to your new database and from there restart barnyard and it
>> should be logging to the "centralized" database.
>>
>> -elz
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list