Re: [Snort-users] Snort, Mudpit, Unified logs and me...
This is a discussion on Re: [Snort-users] Snort, Mudpit, Unified logs and me... within the Snort forums, part of the System Security and Security Related category; Hi Russel, > I'm trying to set up what I think is "a normal" system pair: > = &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-02-2004
|
|||
|
|||
Re: [Snort-users] Snort, Mudpit, Unified logs and me...
Hi Russel,
> I'm trying to set up what I think is "a normal" system pair: > = > System 1: The Snort machine (Devil) > System 2: The log processing / alerting machine (Slackware 9.x) > = > Having done lots and lots of reading, it seems that the unified (binary= ) > output is "best" (as non-unified seems to lead to problems). > = > [As a side note, I did look at FLoP but patching snort is not an = > option due to the fact that I'm using a pre-built live-CD for system 1]= hmm, I think this should be a minor problem. But how do you update snort if it is so difficult to use a patched and self-compiled version of snort= ? With all possible options you have to extend your live-CD by some = programs. > Now, it seems that I have two options on system 2 - either Barnyard > or Mudpit. Seeing as I can't get Barnyard to configure (tried MySQL > 3.23, 4.017, my_connect, mysql_real_connect and all those other "fixes"= > to no avail), I'm forced to use Mudpit. I fear that if Barnyard is not able to work then Mudpit will fail with the same problems.... [...] > Hm. This raises 2 questions: > = > 1.) How does one specifiy that these two files should actually > be sent on a remote machine? In the MySQL example, it is = > obvious that you can specify a host, but mudput requires the = > files :/ > = > 2.) As these log files need to reside on a remote system, how = > would the limit work? The log files are created by the snort process and should stay on the local machine. This is the place where both, barnyard and mudpit expect the files. As you are using a Live-CD I think you will not use any harddisk on the snort machine? You can do at least two things: Store the files on a ram disk or on a nfs mounted partition. But both are options are not = really good... So maybe FLoP is not such a bad idea for this system? Best regards Dirk ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
