On Mar 30, 2006, at 6:10 PM, Edward Norton wrote: > On 3/30/06, Alex Dean wrote: > On Mar 30, 2006, at 11:42 AM, Jim wrote: > > ps - I haven't yet found an addon package that will support Snort > (intrusion detection) logging to MySQL. All you get by default is > logging to a text file, which you can read via IPCop's web > interface. Not very useful, as you basically have to troll through > pages and pages of log entries looking for possible problems. I've > turned Snort off until I find a more effective way to analyze its > logs. That's maybe a little off topic, but it's the only thing I've > yet wanted from IPCop that hasn't been easy to add. > > I'm not aware of any add-on's like that, but you could presumably > upload one of the snort analyzers to the IPCop box and go from there. I may try some of the tools for analyzing Snort's text-based logs, but I was most interested in the RDBMS options. The package I really want to use is BASE (http://secureideas.sourceforge.net/), which is a successor to a similar project called ACID (http:// acidlab.sourceforge.net/). It's a PHP/MySQL app for analyzing Snort logs. You can't use BASE if Snort isn't logging to MySQL. If I was building Snort from scratch, adding MySQL support looks pretty simple, but not on IPCop. It doesn't seem to include the basics like cc or make. This makes a lot of sense, given IPCop's purpose as a stripped-down firewall, but it leaves me a little stuck on how to expand it. I guess maybe I need to figure out how some of the other addon providers packages their upgrades, and that might clue me in. I've asked twice on the IPCop users list as to how I might add a mysql-enabled Snort, and have gotten 0 responses. Searching their list archives, all I found was a note from 2004 suggesting that the way to do this was to build your own IPCop distribution. (IPCop is based on Linux From Scratch.) I got the source for IPCop and poked around, but haven't made a ton of progress. Seems like there should be a simpler way. All that is really needed is a different version of snort (actually, just compiled with 1 extra flag set) and the MySQL client library. I'm still surprised this isn't already out there, but maybe someday I'll actually figure out how to make it happen. :) Any help/advice is appreciated. alex . --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss