Menu
▾
▴
Re: [Os-sim-support] OSSIM ISO installer, no snort-mysql?
|
From: Hilmar F. <fr...@dr...> - 2008-07-15 16:25:00
|
Christopher <c.boggs <at> gmail.com> writes: > > Hey list,I'm new to OSSIM and I just setup the ISO installer on my laptop.Took awhile to get everything configured as I'm using a hub on the ethernet interface to catch traffic outside my firewall, and a wireless interface for management, etc... but once I got everything working, I verified I'm seeing the traffic on the ethernet interface (it's eth2) with wireshark, but I get nothing from snort.. (looking at events through BASE within OSSIM)... so I started checking things, I made sure Snort was configured to run on the correct interface, and I noticed it's not logging to mysql, but to unified log format which it stores in /var/log/snort. So I changed the config to log to mysql but now when I run it fails saying it's not compiled with mys > ql support... Is this intentional? Surely not? Everything else seems to work - and I've seen at least one other post on the > SF.net forums where someone is having the same issue, so I hope this isn't just me...Thanks,Chris > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > Os-sim-support mailing list > Os-sim-support <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/os-sim-support > Hi Christoper! i know its pretty delayed and thus my post is just for the records probably: You guess right that the ISO-installer follows a different concept of SNORT-output-handlng: having SNORT logging to MySQL is way to slow, so unified output is the usual approach; the contained SNORT_binary is not compiled with the MySQL-option. OSSIM does not use barnyard for that (by default), but let the OSSIM-agent to the same job. Thats what i learned so far. Why SNORT is not creating any alarms while having some amount of events is exactly what i'm chewing on currently. Any hint here would really be appreciated. Regrettebly that SNORT-issue is not so well documented by the OSSIM maintainers and as soon i got the scheme i would like to provide some little tutorial to fill that gap. best regards, Hilmar |
