Snort mailing list archives
RE: Newbie Question
From: "Wilcoxen, Scott" <SWilcoxen () macf com>
Date: Sun, 27 Apr 2003 23:46:55 -0400
Well, we used old machines we had lying around to set this up, so disk space is limited on both sensors as well as the machine hosting the database. I dind't want to log all traffic to the database for that reason. So, I've managed to use the snortd scripts which are hidden quite nicely in the snortsource/contrib directory to start and stop snort. So, I'm logging all traffic in tcpdump binaries on the local hard drive of the sensors themselves and alerts go to the database. I have daily cron jobs stopping snort, moving the log files off of the sensors to a share on one of my Windows servers, and then starting snort back up again! It's working quite nicely now!! The problem I'm having now is with Acid. It seems when I query the database from within Acid, example all alerts from a particular source ip, and I go to page 2 it loses the criteria specified in the query and just starts giving me all the alerts that have been logged. Probably mention that later in a separate post if I can't figure something out. Scott S Wilcoxen Macfadden & Associates, Inc. Email: Swilcoxen at macf dot com www.macf.com -----Original Message----- From: Bruno Benchimol a.k.a. Misty MSt [mailto:mistymst () ig com br] Sent: Sunday, April 27, 2003 11:23 AM To: Wilcoxen, Scott Make snort log directly to a databse :) with output alert: log database .... :) (btw if you want keep the binary tcpdump format, you can run another instance of snort to do it) once the sensors are loggin directly to the database so ACID can see it, you see that you have 2 sensors there :), i havent set up anything like that, because of $ problems my snort box is running with all inside, mysql, acid ... and with only 1 nic :( but thats ok :) it doing it job and got a relativy security to it. Well try my suggestion about loggin to a database instead to a file. ----- Original Message ----- From: Wilcoxen, Scott To: Snort-users () lists sourceforge net Sent: Friday, April 25, 2003 3:38 PM Subject: [Snort-users] Newbie Question I'm relatively new to both Snort and Linux, so please bear with me here. I have got snort setup on two separate machines. One machine is listening to traffic on the outside of my firewall and the other on the inside. On a third machine I've got a MySQL database to which I'm logging alerts. I've setup an apache web server on this machine as well and am using ACID to view the alerts being logged. My sensors are logging all packets in binary tcp dump format on the local hard drive. I would like to setup a cron job to move these logs to another machine everyday so that the hard drives on my sensors don't fill up. I'm starting snort in daemon mode and noticed that when I move the logs it doesn't seem to start another one. So my theory was that if I stop snort, move the logs, and restart snort I would be ok. Problem is I can't find a way to stop snort short of issuing a 'kill pid'. I want to script all of this. Any suggestions? Scott S Wilcoxen Macfadden & Associates, Inc. Office: 301.562.3046 Mobile: 410.688.2813 Fax: 301.588.0390 Email: SWilcoxen () macf com www.macf.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie question Chris (Apr 21)
- Re: Newbie question Erick Mechler (Apr 21)
- Re: Newbie question (FAQ 4.3 update requested) Matt Kettler (Apr 21)
- <Possible follow-ups>
- RE: Newbie question Potts, Ross A. (Apr 23)
- Newbie Question Wilcoxen, Scott (Apr 25)
- RE: Newbie Question Pacheco, Michael F. (Apr 25)
- RE: Newbie Question Wilcoxen, Scott (Apr 27)