|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Snort-users] Barnyard vs. Mudpit
From: Truax, Shawn (MBS) (Shawn.Truax
mbs.gov.on.ca)
Date: Thu Apr 22 2004 - 07:09:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Two things off the top of my head. One I have the duplicate entry error in
ACID using Mudpit. I didn't know there was the same issue with Barnyard,
but if so it looks like either way you are going to have to deal with it.
It won't affect the DB in any way that I can tell. It only affects the ACID
cache table. (Someone correct me if I am wrong there.) Secondly I use
Mudpit and find it works great for me. I spool out through Mudpit to the
ACID database on a different server as well as to Syslog locally on the
sensor. I do this through SnortCenter and set up 2 different output options
and have them both setup on the sensor at the same time. Works very well
for me. You could do the same in the snort.conf if you didn't want to use
SnortCenter. Just set up Mudpit to do the DB spool and then set up snort
itself to do the Syslog. Something like this in snort.conf:
#Mudpit Lines
output alert_unified: filename /var/log/snort-eth1/alert.log, limit 128
output log_unified: filename /var/log/snort-eth1/log.log, limit 128
#Syslog Lines
output alert_syslog: LOG_LOCAL0 LOG_ALERT
Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107
-----Original Message-----
From: jonasbalum.rpi.edu [mailto:jonasbalum.rpi.edu]
Sent: April 21, 2004 10:38 AM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] Barnyard vs. Mudpit
Hi All -
I've been reading through the list archives to learn more about my output
options, but haven't found a definitive answer yet. I've set up Barnyard to
output to a remote mysql server from my Snort sensor. Everything works fine,
although I am a bit concerned about the duplicate entry issue w/ alert
rules. So, I figured, why not try mudpit. I've read however that some people
weren't really able to capture sessions using stream processing and tag
rules. I'd like to be able to have that functionality - has anyone been able
to get this to work with Mudpit? If not, can you think of any other options?
Also - on my db server, I'm running syslog with swatch on the back-end and
would like close to RT email alerting functionality for alerts. I know that
Barnyard can output to syslog, but what output Mudpit - if so which output
pluging would I use?
Thanks!
B
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]