 | SearchForum Home | |
| | |
| | |
| | |
 | | |
|
|
|
| how to use different sensor_name variables |
|
|
Hello,
Cool product!
I have a couple different sensors that are all feeding to a MYSQL db. All the sensors use the same rules. Is there a way to configure the Output Module | Database to use different sensor names for each device? When I currently upload the profile, it makes all the sensors have the same name, thus confusing BASE.
|
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
In snort.conf, at the end of the output line where you specify the mySQL database, add
sensor_name=NAMEOFSENSOR
Change NAMEOFSENSOR to what you want the sensor name to be. :-)
Ray
|
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
rpesek wrote
In snort.conf, at the end of the output line where you specify the mySQL database, add
sensor_name=NAMEOFSENSOR
Change NAMEOFSENSOR to what you want the sensor name to be. :-)
Ray
|
I understand how to set up sensor names outside of the tool, my question is how to do it inside the tool. If I'm using IDSPM to push/manage snort.conf, how do I push different sensor names to different sensors all using the same profile?
|
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
krypticet wrote
I have a couple different sensors that are all feeding to a MYSQL db. All the sensors use the same rules. Is there a way to configure the Output Module | Database to use different sensor names for each device? When I currently upload the profile, it makes all the sensors have the same name, thus confusing BASE.
|
This is set in the database output.. open the policy, go to output modules, open the database one and you can set it here.
Checkout this screenshot for what I am talking about...
Cheers,
Jeff |
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
Jeff wrote
This is set in the database output.. open the policy, go to output modules, open the database one and you can set it here. Checkout this screenshot for what I am talking about... Cheers, Jeff |
Thanks Jeff. I know how to set it for 1 sensor using that method, but how can I set it for multiple sensors using different sensor names? Is there a varible I can include in the Sensor Name field in the Output | database | sensor_name section that will allow different names to be placed in the snort.conf for each sensor? Or is there some other method?
|
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
I think I know the problem you are having.. you have one policy with multiple sensors? this can be solved in a couple of ways..
1. Create 1 policy for each sensor.
2. I believe you can have the sensor name a variable. Use the variable name as the sensor name and on each sensor in IDSPM set the variable to a unique value.
3. Don't use the DB output plugin. The DB output is actually not recommended for production. Use unified output with barnyard instead. Here is a good article about setting it up.
Cheers,
Jeff |
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
Thanks Jeff. That answered my question. I tried using the variable option, but didn't find a sensor_name drop down in the dialog. Unified output appears to be the way to go. I'll approach it that way.
|
|
|
|
| |
|
|
| Re: how to use different sensor_name variables |
|
|
yea.. Barnyard is reallly the way to go.. incase anyone else wants to do this and doesn't want to use barnyard, or can't (barnyard does run on Windows) you could add the variable name yourself in the sensor or add a default value in the policy and it will then appear in the dropdown.
FYI: About how variables are added to a snort.conf when it is uploaded to a sensor...
The variable are added first from the policy, then the sensor variables are added. If there are any duplicates the sensor variable overwrites the policy variable in the snort.conf.
Cheers,
Jeff |
|
|
|
| |
| | |
| | |
| | |
|