All,
Last August I attended the O'Reilly Open Source Convention in Portland
and attended a session where Jeremy Brinkley spoke specifically on the
subject of Snort and MySQL working together. The presentation slides
can be found at
http://www.batray.net/jeremy/Getting_the_Right_Answers_from_Snort/
It's on my list of "neat things I really want to check out further
because they're likely to be really useful..."
Richard Wilson
-----------------------------------------------------
On Fri, 2006-03-31 at 10:09 -0700, Alex Dean wrote:
> On Mar 30, 2006, at 6:10 PM, Edward Norton wrote:
>
> > On 3/30/06, Alex Dean <alex@crackpot.org> wrote:
> > On Mar 30, 2006, at 11:42 AM, Jim wrote:
> >
> > ps - I haven't yet found an addon package that will support Snort
> > (intrusion detection) logging to MySQL. All you get by default is
> > logging to a text file, which you can read via IPCop's web
> > interface. Not very useful, as you basically have to troll through
> > pages and pages of log entries looking for possible problems. I've
> > turned Snort off until I find a more effective way to analyze its
> > logs. That's maybe a little off topic, but it's the only thing I've
> > yet wanted from IPCop that hasn't been easy to add.
> >
> > I'm not aware of any add-on's like that, but you could presumably
> > upload one of the snort analyzers to the IPCop box and go from there.
>
> I may try some of the tools for analyzing Snort's text-based logs,
> but I was most interested in the RDBMS options. The package I really
> want to use is BASE (http://secureideas.sourceforge.net/), which is a
> successor to a similar project called ACID (http://
> acidlab.sourceforge.net/). It's a PHP/MySQL app for analyzing Snort
> logs.
>
> You can't use BASE if Snort isn't logging to MySQL. If I was
> building Snort from scratch, adding MySQL support looks pretty
> simple, but not on IPCop. It doesn't seem to include the basics like
> cc or make. This makes a lot of sense, given IPCop's purpose as a
> stripped-down firewall, but it leaves me a little stuck on how to
> expand it. I guess maybe I need to figure out how some of the other
> addon providers packages their upgrades, and that might clue me in.
>
> I've asked twice on the IPCop users list as to how I might add a
> mysql-enabled Snort, and have gotten 0 responses. Searching their
> list archives, all I found was a note from 2004 suggesting that the
> way to do this was to build your own IPCop distribution. (IPCop is
> based on Linux From Scratch.) I got the source for IPCop and poked
> around, but haven't made a ton of progress. Seems like there should
> be a simpler way.
>
> All that is really needed is a different version of snort (actually,
> just compiled with 1 extra flag set) and the MySQL client library.
> I'm still surprised this isn't already out there, but maybe someday
> I'll actually figure out how to make it happen. :) Any help/advice
> is appreciated.
>
> alex
> .
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)