All, Last August I attended the O'Reilly Open Source Convention in Portland and attended a session where Jeremy Brinkley spoke specifically on the subject of Snort and MySQL working together. The presentation slides can be found at http://www.batray.net/jeremy/Getting_the_Right_Answers_from_Snort/ It's on my list of "neat things I really want to check out further because they're likely to be really useful..." Richard Wilson ----------------------------------------------------- On Fri, 2006-03-31 at 10:09 -0700, Alex Dean wrote: > On Mar 30, 2006, at 6:10 PM, Edward Norton wrote: > > > On 3/30/06, Alex Dean wrote: > > On Mar 30, 2006, at 11:42 AM, Jim wrote: > > > > ps - I haven't yet found an addon package that will support Snort > > (intrusion detection) logging to MySQL. All you get by default is > > logging to a text file, which you can read via IPCop's web > > interface. Not very useful, as you basically have to troll through > > pages and pages of log entries looking for possible problems. I've > > turned Snort off until I find a more effective way to analyze its > > logs. That's maybe a little off topic, but it's the only thing I've > > yet wanted from IPCop that hasn't been easy to add. > > > > I'm not aware of any add-on's like that, but you could presumably > > upload one of the snort analyzers to the IPCop box and go from there. > > I may try some of the tools for analyzing Snort's text-based logs, > but I was most interested in the RDBMS options. The package I really > want to use is BASE (http://secureideas.sourceforge.net/), which is a > successor to a similar project called ACID (http:// > acidlab.sourceforge.net/). It's a PHP/MySQL app for analyzing Snort > logs. > > You can't use BASE if Snort isn't logging to MySQL. If I was > building Snort from scratch, adding MySQL support looks pretty > simple, but not on IPCop. It doesn't seem to include the basics like > cc or make. This makes a lot of sense, given IPCop's purpose as a > stripped-down firewall, but it leaves me a little stuck on how to > expand it. I guess maybe I need to figure out how some of the other > addon providers packages their upgrades, and that might clue me in. > > I've asked twice on the IPCop users list as to how I might add a > mysql-enabled Snort, and have gotten 0 responses. Searching their > list archives, all I found was a note from 2004 suggesting that the > way to do this was to build your own IPCop distribution. (IPCop is > based on Linux From Scratch.) I got the source for IPCop and poked > around, but haven't made a ton of progress. Seems like there should > be a simpler way. > > All that is really needed is a different version of snort (actually, > just compiled with 1 extra flag set) and the MySQL client library. > I'm still surprised this isn't already out there, but maybe someday > I'll actually figure out how to make it happen. :) Any help/advice > is appreciated. > > alex > . > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss